End-of-Day report
Timeframe: Mittwoch 01-12-2021 18:00 - Donnerstag 02-12-2021 18:00
Handler: Wolfgang Menezes
Co-Handler: Robert Waldner
News
New malware hides as legit nginx process on e-commerce servers
eCommerce servers are being targeted with remote access malware that hides on Nginx servers in a way that makes it virtually invisible to security solutions. [...] Because NginRAT hides as a normal Nginx process and the code exists only in the server-s memory, detecting it may be a challenge. However, the malware is launched using two variables, LD_PRELOAD and LD_L1BRARY_PATH. Administrators can use the latter, which contains the -typo,- to reveal the active malicious processes
https://www.bleepingcomputer.com/news/security/new-malware-hides-as-legit-nginx-process-on-e-commerce-servers/
Nine WiFi routers used by millions were vulnerable to 226 flaws
Security researchers analyzed nine popular WiFi routers and found a total of 226 potential vulnerabilities in them, even when running the latest firmware.
https://www.bleepingcomputer.com/news/security/nine-wifi-routers-used-by-millions-were-vulnerable-to-226-flaws/
WordPress Admin Creator - A Simple, But Effective Attack
Malicious admin users get added to vulnerable WordPress sites often. This can happen in a variety of different ways, and sometimes the malware that creates these malicious users can hide in plain sight. Injecting a malicious admin user into a WordPress site can allow attackers easy access back into a victims- website after it has been cleaned.
https://blog.sucuri.net/2021/12/wordpress-admin-creator-a-simple-but-effective-attack.html
pip-audit
pip-audit is a tool for scanning Python environments for packages with known vulnerabilities. It uses the Python Packaging Advisory Database via the PyPI JSON API as a source of vulnerability reports.
https://pypi.org/project/pip-audit/
Digitale Vignette nur in offiziellen Shops kaufen!
Bereits ab 1. Dezember ist die Vignette für das Jahr 2022 auf österreichischen Autobahnen gültig. Die digitale Vignette kann dabei nicht nur an verschiedenen offiziellen Verkaufsstellen, sondern auch online gekauft werde. Das machen sich unseriöse AnbieterInnen zu Nutze und bieten die digitale Vignette ungerechtfertigt zu höheren Preisen an.
https://www.watchlist-internet.at/news/digitale-vignette-nur-in-offiziellen-shops-kaufen/
Azure Privilege Escalation via Azure API Permissions Abuse
In this post, I will explain how one of those permissions systems can be abused to escalate to Global Admin. I-ll explain how you as an attacker can abuse this system, and I will also explain how you as a defender can find, clean up, and prevent these abusable configurations.
https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48
Windows 10/11: Falle beim "trusted" Apps-Installer; Emotet nutzt das
Hoh hoh, Leute, wir können heute das zweite Türchen im Adventskalender öffnen und schauen, was Microsoft so schönes dahinter versteckt hat, um Administratoren zu erschrecken. Heute finden wir den AppX-Installer, der in Windows 10 und Windows 11 zum Installieren von Anwendungen und Apps verwendet wird. Hier ein kleiner Überblick, warum man das Wörtchen Trusted Apps nicht so ganz wörtlich nehmen soll. Denn der zugehörige Installer kann durchaus Malware auf das System spülen (Emotet nutzt das aktuell bei Angriffen), die Apps aber wegen eines gravierenden Design-Fehlers als Trusted ausweisen.
https://www.borncity.com/blog/2021/12/02/windows-10-11-falle-beim-trusted-apps-installer/
Vulnerabilities
BigSig-Lücke: Mozilla schließt kritische Schwachstelle in Krypto-Bibliothek NSS
Setzen Anwendungen zur sicheren Kommunikation Mozillas Network Security Services ein, könnte eine kritische Lücke für Probleme sorgen. [...] Die Programmbibliothek kommt beispielsweise im E-Mail-Client Thunderbird, LibreOffice und verschiedenen PDF-Betrachtern zum Einsatz. Einer Warnmeldung von Mozilla zufolge ist der hauseigene Webbrowser Firefox nicht von der als -kritisch- eingestuften Sicherheitslücke (CVE-2021-43527) betroffen.
https://heise.de/-6281977
Multiple missing authorization vulnerabilities in WordPress Plugin "Advanced Custom Fields"
Users of this product may do the following:
- Browse unauthorized data on the database - CVE-2021-20865
- Obtain a list of information that an user do not have the privilege for - CVE-2021-20866
- Move field groups that an user do not have permission to use - CVE-2021-20867
Solution: Update the plugin
https://jvn.jp/en/jp/JVN09136401/
ZDI-21-1373: Jenkins Report Info XML External Entity Processing Information Disclosure Vulnerability
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Jenkins Report Info. Authentication is required to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-21-1373/
Multiple vulnerabilities in OrbiTeam BSCW Server
The BSCW Server of OrbiTeam Software GmbH & Co. KG is prone to multiple vulnerabilities like reflected and stored XSS, LFI and Open Redirect. It is possible to chain these vulnerabilities and compromise the server even without a valid login.
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-bscw-server/
Security updates for Thursday
Security updates have been issued by CentOS (kernel, openssh, and rpm), Debian (nss), Fedora (seamonkey), Mageia (glibc), openSUSE (go1.16, go1.17, kernel, mariadb, netcdf, openexr, poppler, python-Pygments, python-sqlparse, ruby2.5, speex, and webkit2gtk3), Oracle (nss), Red Hat (nss), SUSE (clamav, glibc, gmp, go1.16, go1.17, kernel, mariadb, netcdf, OpenEXR, openexr, openssh, poppler, python-Pygments, python-sqlparse, ruby2.1, ruby2.5, speex, webkit2gtk3, and xen), and Ubuntu (nss and thunderbird).
https://lwn.net/Articles/877410/
Delta Electronics CNCSoft - ICS Advisory (ICSA-21-334-03)
https://us-cert.cisa.gov/ics/advisories/icsa-21-334-03
Security Bulletin: OpenSSH for IBM i is affected by CVE-2021-41617
https://www.ibm.com/blogs/psirt/security-bulletin-openssh-for-ibm-i-is-affected-by-cve-2021-41617/
Security Bulletin: Apache Commons FileUpload vulnerability affects IBM Tivoli Business Service Manager (CVE-2013-0248)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-fileupload-vulnerability-affects-ibm-tivoli-business-service-manager-cve-2013-0248/
Security Bulletin: Security Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU - Oct 2020 - affect multiple IBM Continuous Engineering products based on IBM Jazz Technology
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020-affect-multiple-ibm-continuous-engineering-products-based-on-ibm-jazz-technology/
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoringhas applied security fixes for its use of Mozilla Firefox
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoringhas-applied-security-fixes-for-its-use-of-mozilla-firefox-2/
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Netty.io
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-has-applied-security-fixes-for-its-use-of-netty-io/
Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-11/
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoringhas applied security fixes for its use of Mozilla Firefox
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoringhas-applied-security-fixes-for-its-use-of-mozilla-firefox/
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Mozilla Firefox
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-has-applied-security-fixes-for-its-use-of-mozilla-firefox/
Security Bulletin: IBM QRadar SIEM Application Framework v1 (CentOS6) is End of Life
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-application-framework-v1-centos6-is-end-of-life/
Security Bulletin: IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-has-applied-security-fixes-for-its-use-of-apache-commons/
Security Bulletin: Apache Wink as used by IBM Disconnected Log Collector is vulnerable to an XML External Entity Error (XXE) (CVE-2010-2245)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-wink-as-used-by-ibm-disconnected-log-collector-is-vulnerable-to-an-xml-external-entity-error-xxe-cve-2010-2245-2/