End-of-Day report
Timeframe: Freitag 19-11-2021 18:00 - Montag 22-11-2021 18:00
Handler: Wolfgang Menezes
Co-Handler: Robert Waldner
News
Picky PPID Spoofing
Parent Process ID (PPID) Spoofing is one of the techniques employed by malware authors to blend in the target system. This is done by making the malicious process look like it was spawned by another process. This helps evade detections that are based on anomalous parent-child process relationships.
https://captmeelo.com/redteam/maldev/2021/11/22/picky-ppid-spoofing.html
Command injection prevention for Python
This is a command/code injection prevention cheat sheet by r2c. It contains code patterns of potential ways to run an OS command or arbitrary code in an application. Instead of scrutinizing code for exploitable vulnerabilities, the recommendations in this cheat sheet pave a safe road for developers that mitigates the possibility of command/code injection in your code.
https://semgrep.dev/docs/cheat-sheets/python-command-injection/
Missing Link: Wie sicher ist der Anonymisierungsdienst Tor?
Tor gilt als Wunderwaffe gegen den Überwachungswahn von Geheimdiensten. Wie gut lässt sich die Technologie knacken? Ist Tor tatsächlich NSA- und BND-proof?
https://heise.de/-6272025
Virtuelle Mobilfunknetze mit Open RAN: BSI sieht Sicherheitsrisiken
Mehr "Security by Design" empfehlen die Autoren einer Risikoanalyse des BSI für die Weiterentwicklung von Open RAN - nachträgliche Korrekturen seien aufwändig.
https://heise.de/-6274060
UEFI virtual machine firmware hardening through snapshots and attack surface reduction. (arXiv:2111.10167v1 [cs.SE])
This paper introduces Amaranth project - a solution to some of the contemporary security issues related to UEFI firmware. In this work we focused our attention on virtual machines as it allowed us to simplify the development of secure UEFI firmware. Security hardening of our firmware is achieved through several techniques, the most important of which are an operating system integrity checking mechanism (through snapshots) and overall firmware size reduction.
http://arxiv.org/abs/2111.10167
Oh ... Ransomware verschlüsselt meine virtuellen Maschinen direkt im Hypervisor ... Wie jetzt?
Viele Ransomware- oder Ransomware-as-a-Service (RaaS)- Gruppen besitzen inzwischen die Fähigkeit, virtuelle Maschinen direkt auf Hypervisor-Ebene zu verschlüsseln. Das heisst, es sind nicht einzelne Clients, Workstations oder Server auf Windows Betriebsystem-Ebene, sondern alle Maschinen, die virtualisiert - auf zum Beispiel VMware ESXi oder Microsoft Hyper-V - laufen, gleichzeitig betroffen. Die Cybersecurityfirma Crowdstrike hat dieser Thematik zwei interessante Blog-Posts gewidmet
https://cert.at/de/blog/2021/11/oh-ransomware-verschlusselt-meine-virtuellen-maschinen-direkt-im-hypervisor-wie-jetzt
NSA and CISA Release Guidance on Securing 5G Cloud Infrastructures
CISA has announced the joint National Security Agency (NSA) and CISA publication of the second of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part II: Securely Isolate Network Resources examines threats to 5G container-centric or hybrid container/virtual network, also known as Pods. The guidance provides several aspects of pod security including limiting permissions on deployed containers, avoiding resource contention and denial-of-service attacks, and implementing real-time threat detection.
https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/nsa-and-cisa-release-guidance-securing-5g-cloud-infrastructures
Vulnerabilities
Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet
R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications.
CVEs: CVE-2021-21920, CVE-2021-21921, CVE-2021-21922, CVE-2021-21923, CVE-2021-21915, CVE-2021-21916, CVE-2021-21917, CVE-2021-21918, CVE-2021-21919, CVE-2021-21910, CVE-2021-21911, CVE-2021-21912
http://blog.talosintelligence.com/2021/11/re-see-net-advantched-vuln-spotlight.html
Security updates for Monday
Security updates have been issued by Debian (firebird3.0, libmodbus, and salt), Fedora (js-jquery-ui and wordpress), Mageia (arpwatch, chromium-browser-stable, php, rust, and wireshark), openSUSE (barrier, firefox, hylafax+, opera, postgresql12, postgresql13, postgresql14, and tomcat), SUSE (ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma, ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma, firefox, kernel, postgresql, postgresql13, postgresql14, postgresql10, postgresql12, postgresql13, postgresql14, postgresql96, and samba), and Ubuntu (libreoffice).
https://lwn.net/Articles/876655/
Serious Vulnerabilities Found in Wi-Fi Module Designed for Critical Industrial Applications
Talos has published 18 separate advisories describing the vulnerabilities. The researchers have reproduced the vulnerabilities on Lantronix PremierWave 2050 version 8.9.0.0R4, and Talos claims there are no official patches for the security holes, despite the vendor knowing about them since June 15.
https://www.securityweek.com/serious-vulnerabilities-found-wi-fi-module-designed-critical-industrial-applications
ZDI-21-1332: Commvault CommCell AppStudioUploadHandler Arbitrary File Upload Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1332/
ZDI-21-1331: Commvault CommCell Demo_ExecuteProcessOnGroup Exposed Dangerous Function Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1331/
ZDI-21-1330: Commvault CommCell DownloadCenterUploadHandler Arbitrary File Upload Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1330/
ZDI-21-1329: Commvault CommCell DataProvider JavaScript Sandbox Escape Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1329/
ZDI-21-1328: Commvault CommCell CVSearchService Authentication Bypass Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-21-1328/
Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue processing message properties. (CVE-2021-29843)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a-denial-of-service-attack-caused-by-an-issue-processing-message-properties-cve-2021-29843/