End-of-Day report
Timeframe: Montag 08-03-2021 18:30 - Dienstag 09-03-2021 18:30
Handler: Dimitri Robl
Co-Handler: Robert Waldner
News
z0Miner botnet hunts for unpatched ElasticSearch, Jenkins servers
A cryptomining botnet spotted last year is now targeting and attempting to take control of Jenkins and ElasticSearch servers to mine for Monero (XMR) cryptocurrency.
https://www.bleepingcomputer.com/news/security/z0miner-botnet-hunts-for-unpatched-elasticsearch-jenkins-servers/
GitHub Fixed a Bug impacting Authenticated Sessions
Earlier this month GitHub received a report of anomalous behavior from an external party, therefore they fixed the bug trying to protect user accounts against a potentially serious security vulnerability. The weird behavior was generated by a race condition vulnerability that misrouted the GitHub user-s login session to the web browser of another logged-in user, [...]
https://heimdalsecurity.com/blog/github-fixes-bug/
Serious Security: Webshells explained in the aftermath of HAFNIUM attacks
Webshells explained, with some (safe) examples you can try at home if you want to learn more.
https://nakedsecurity.sophos.com/2021/03/09/serious-security-webshells-explained-in-the-aftermath-of-hafnium-attacks/
9 Android Apps On Google Play Caught Distributing AlienBot Banker and MRAT Malware
Cybersecurity researchers have discovered a new malware dropper contained in as many as 9 Android apps distributed via Google Play Store that deploys a second stage malware capable of gaining intrusive access to the financial accounts of victims as well as full control of their devices. "This dropper, dubbed Clast82, utilizes a series of techniques to avoid detection by Google Play Protect [...]
https://thehackernews.com/2021/03/9-android-apps-on-google-play-caught.html
Fuzzing grub: part 1
Recently a set of 8 vulnerabilities were disclosed for the grub bootloader. I found 2 of them (CVE-2021-20225 and CVE-2021-20233), and contributed a number of other fixes for crashing bugs which we dont believe are exploitable. I found them by applying fuzz testing to grub. Heres how.
https://sthbrx.github.io/blog/2021/03/04/fuzzing-grub-part-1/
Vorsicht vor betrügerischen Wohnungsinseraten im Facebook-Marketplace
Auch im Facebook-Marketplace werden Miet- und Eigentumswohnungen inseriert. Ist der Preis jedoch sehr günstig, sollten Sie vorsichtig sein, denn es könnte sich um Betrug handeln. Behaupten VermieterInnen, dass sie im Ausland sind und sie die Besichtigung und Übermittlung der Kaution über Airbnb abwickeln, können Sie eindeutig von Betrug ausgehen!
https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-wohnungsinseraten-im-facebook-marketplace/
Overview of dnsmasq Vulnerabilities: The Dangers of DNS Cache Poisoning
We review vulnerabilities in dnsmasq, an open source DNS resolver, deep dive into DNS cache poisoning and describe effects on cloud products.
https://unit42.paloaltonetworks.com/overview-of-dnsmasq-vulnerabilities-the-dangers-of-dns-cache-poisoning/
Vulnerabilities
Adobe fixes critical Creative Cloud, Adobe Connect vulnerabilities
Adobe has released security updates that fix vulnerabilities in Adobe Creative Cloud Desktop, Framemaker, and Connect.
https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-creative-cloud-adobe-connect-vulnerabilities/
Apple Plugs Severe WebKit Remote Code-Execution Hole
Apple pushed out security updates for a memory-corruption bug to devices running on iOS, macOS, watchOS and for Safari.
https://threatpost.com/apple-webkit-remote-code-execution/164595/
Security updates for Tuesday
Security updates have been issued by Fedora (firefox, kernel, kernel-headers, kernel-tools, libebml, and wpa_supplicant), openSUSE (mbedtls), Oracle (kernel, kernel-container, and screen), Red Hat (curl, kernel, kernel-rt, kpatch-patch, nss-softokn, python, and virt:rhel and virt-devel:rhel), Scientific Linux (screen), SUSE (389-ds, crmsh, openldap2, openssl-1_0_0, and wpa_supplicant), and Ubuntu (glib2.0, gnome-autoar, golang-1.10, golang-1.14, and libzstd).
https://lwn.net/Articles/848835/
Siemens Releases Several Advisories for Vulnerabilities in Third-Party Components
Siemens on Tuesday published 12 new security advisories to inform customers about nearly two dozen vulnerabilities affecting its products.
https://www.securityweek.com/siemens-releases-several-advisories-vulnerabilities-third-party-components
Synology-SA-21:11 Download Station
A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Download Station.
https://www.synology.com/en-global/support/security/Synology_SA_21_11
Synology-SA-21:10 Media Server
A vulnerability allows remote attackers to access intranet resources via a susceptible version of Media Server.
https://www.synology.com/en-global/support/security/Synology_SA_21_10
SAP Security Patch Day - March 2021
On 9th of March 2021, SAP Security Patch Day saw the release of 9 Security Notes. There were 4 updates to previously released Patch Day Security Notes.
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=571343107
Microsoft Exchange attacks: Now Microsoft rushes out a patch for these unsupported Exchange servers, too
Microsoft provides more patches for critical Exchange vulnerabilities that are being exploited widely on the internet.
https://www.zdnet.com/article/microsoft-exchange-attacks-now-microsoft-rushes-out-a-patch-for-these-unsupported-exchange-servers-too/
Squid: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
https://www.cert-bund.de/advisoryshort/CB-K21-0241
Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes
https://www.cert-bund.de/advisoryshort/CB-K21-0247
Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring returns potentially sensitive information in headers which could lead to further attacks against the system.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicloud-management-monitoring-returns-potentially-sensitive-information-in-headers-which-could-lead-to-further-attacks-against-the-system/
Security Bulletin: Google Protocol Buffers as used by IBM QRadar SIEM is vulnerable to arbitrary code execution (CVE-2015-5237)
https://www.ibm.com/blogs/psirt/security-bulletin-google-protocol-buffers-as-used-by-ibm-qradar-siem-is-vulnerable-to-arbitrary-code-execution-cve-2015-5237/
Security Bulletin: Information leakage vulnerability affect IBM Business Automation Workflow - CVE-2021-20358
https://www.ibm.com/blogs/psirt/security-bulletin-information-leakage-vulnerability-affect-ibm-business-automation-workflow-cve-2021-20358/
Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2020 - Includes Oracle Oct 2020 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020-includes-oracle-oct-2020-cpu-affects-ibm-tivoli-composite-application-manager-for-transactions-robotic-response-time/
Security Bulletin: Multiple security vulnerabilities with IBM Content Navigator component in IBM Business Automation Workflow - CVE-2020-4687, CVE-2020-4760, CVE-2020-4704
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-with-ibm-content-navigator-component-in-ibm-business-automation-workflow-cve-2020-4687-cve-2020-4760-cve-2020-4704-3/
Security Bulletin: Multiple security vulnerabilities in JAVA affects IBM Cloud Pak for Multicloud Management Monitoring
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-java-affects-ibm-cloud-pak-for-multicloud-management-monitoring/
Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerability-from-kernel-affects-ibm-netezza-host-management-14/
Security Bulletin: Vulnerability in FasterXML Jackson libraries affect IBM Cúram Social Program Management (CVE-2020-25649)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fasterxml-jackson-libraries-affect-ibm-cram-social-program-management-cve-2020-25649/