Tageszusammenfassung - 22.11.2021

End-of-Day report

Timeframe: Freitag 19-11-2021 18:00 - Montag 22-11-2021 18:00 Handler: Wolfgang Menezes Co-Handler: Robert Waldner

News

Picky PPID Spoofing

Parent Process ID (PPID) Spoofing is one of the techniques employed by malware authors to blend in the target system. This is done by making the malicious process look like it was spawned by another process. This helps evade detections that are based on anomalous parent-child process relationships.

https://captmeelo.com/redteam/maldev/2021/11/22/picky-ppid-spoofing.html


Command injection prevention for Python

This is a command/code injection prevention cheat sheet by r2c. It contains code patterns of potential ways to run an OS command or arbitrary code in an application. Instead of scrutinizing code for exploitable vulnerabilities, the recommendations in this cheat sheet pave a safe road for developers that mitigates the possibility of command/code injection in your code.

https://semgrep.dev/docs/cheat-sheets/python-command-injection/


Missing Link: Wie sicher ist der Anonymisierungsdienst Tor?

Tor gilt als Wunderwaffe gegen den Überwachungswahn von Geheimdiensten. Wie gut lässt sich die Technologie knacken? Ist Tor tatsächlich NSA- und BND-proof?

https://heise.de/-6272025


Virtuelle Mobilfunknetze mit Open RAN: BSI sieht Sicherheitsrisiken

Mehr "Security by Design" empfehlen die Autoren einer Risikoanalyse des BSI für die Weiterentwicklung von Open RAN - nachträgliche Korrekturen seien aufwändig.

https://heise.de/-6274060


UEFI virtual machine firmware hardening through snapshots and attack surface reduction. (arXiv:2111.10167v1 [cs.SE])

This paper introduces Amaranth project - a solution to some of the contemporary security issues related to UEFI firmware. In this work we focused our attention on virtual machines as it allowed us to simplify the development of secure UEFI firmware. Security hardening of our firmware is achieved through several techniques, the most important of which are an operating system integrity checking mechanism (through snapshots) and overall firmware size reduction.

http://arxiv.org/abs/2111.10167


Oh ... Ransomware verschlüsselt meine virtuellen Maschinen direkt im Hypervisor ... Wie jetzt?

Viele Ransomware- oder Ransomware-as-a-Service (RaaS)- Gruppen besitzen inzwischen die Fähigkeit, virtuelle Maschinen direkt auf Hypervisor-Ebene zu verschlüsseln. Das heisst, es sind nicht einzelne Clients, Workstations oder Server auf Windows Betriebsystem-Ebene, sondern alle Maschinen, die virtualisiert - auf zum Beispiel VMware ESXi oder Microsoft Hyper-V - laufen, gleichzeitig betroffen. Die Cybersecurityfirma Crowdstrike hat dieser Thematik zwei interessante Blog-Posts gewidmet

https://cert.at/de/blog/2021/11/oh-ransomware-verschlusselt-meine-virtuellen-maschinen-direkt-im-hypervisor-wie-jetzt


NSA and CISA Release Guidance on Securing 5G Cloud Infrastructures

CISA has announced the joint National Security Agency (NSA) and CISA publication of the second of a four-part series, Security Guidance for 5G Cloud Infrastructures. Part II: Securely Isolate Network Resources examines threats to 5G container-centric or hybrid container/virtual network, also known as Pods. The guidance provides several aspects of pod security including limiting permissions on deployed containers, avoiding resource contention and denial-of-service attacks, and implementing real-time threat detection.

https://us-cert.cisa.gov/ncas/current-activity/2021/11/19/nsa-and-cisa-release-guidance-securing-5g-cloud-infrastructures

Vulnerabilities

Vulnerability Spotlight: Multiple vulnerabilities in Advantech R-SeeNet

R-SeeNet is the software system used for monitoring Advantech routers. It continuously collects information from individual routers in the network and records the data into a SQL database. The vulnerabilities Talos discovered exist in various scripts inside of R-SeeNet's web applications. CVEs: CVE-2021-21920, CVE-2021-21921, CVE-2021-21922, CVE-2021-21923, CVE-2021-21915, CVE-2021-21916, CVE-2021-21917, CVE-2021-21918, CVE-2021-21919, CVE-2021-21910, CVE-2021-21911, CVE-2021-21912

http://blog.talosintelligence.com/2021/11/re-see-net-advantched-vuln-spotlight.html


Security updates for Monday

Security updates have been issued by Debian (firebird3.0, libmodbus, and salt), Fedora (js-jquery-ui and wordpress), Mageia (arpwatch, chromium-browser-stable, php, rust, and wireshark), openSUSE (barrier, firefox, hylafax+, opera, postgresql12, postgresql13, postgresql14, and tomcat), SUSE (ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma, ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma, firefox, kernel, postgresql, postgresql13, postgresql14, postgresql10, postgresql12, postgresql13, postgresql14, postgresql96, and samba), and Ubuntu (libreoffice).

https://lwn.net/Articles/876655/


Serious Vulnerabilities Found in Wi-Fi Module Designed for Critical Industrial Applications

Talos has published 18 separate advisories describing the vulnerabilities. The researchers have reproduced the vulnerabilities on Lantronix PremierWave 2050 version 8.9.0.0R4, and Talos claims there are no official patches for the security holes, despite the vendor knowing about them since June 15.

https://www.securityweek.com/serious-vulnerabilities-found-wi-fi-module-designed-critical-industrial-applications


ZDI-21-1332: Commvault CommCell AppStudioUploadHandler Arbitrary File Upload Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-21-1332/


ZDI-21-1331: Commvault CommCell Demo_ExecuteProcessOnGroup Exposed Dangerous Function Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-21-1331/


ZDI-21-1330: Commvault CommCell DownloadCenterUploadHandler Arbitrary File Upload Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-21-1330/


ZDI-21-1329: Commvault CommCell DataProvider JavaScript Sandbox Escape Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-21-1329/


ZDI-21-1328: Commvault CommCell CVSearchService Authentication Bypass Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-21-1328/


Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue processing message properties. (CVE-2021-29843)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a-denial-of-service-attack-caused-by-an-issue-processing-message-properties-cve-2021-29843/