Tageszusammenfassung - 10.03.2021

End-of-Day report

Timeframe: Dienstag 09-03-2021 18:30 - Mittwoch 10-03-2021 18:30 Handler: Dimitri Robl Co-Handler: Robert Waldner

News

Exchange-Hack: Microsoft-365-Migrationstool durch Textdatei ausgetauscht

Ein Golem.de-Leser wollte Exchange-Konten des Arbeitgebers auf Microsoft 365 migrieren. Statt des Hilfstools gab es eine Textdatei mit Nachricht.

https://www.golem.de/news/exchange-hack-microsoft-365-migrationstool-durch-textdatei-ausgetauscht-2103-154797-rss.html

Unauthenticated MQTT endpoints on Linksys Velop routers enable local DoS

(Edit: this is CVE-2021-1000002)Linksys produces a series of wifi mesh routers under the Velop line. These routers use MQTT to send messages to each other for coordination purposes. In the version I tested against, there was zero authentication on this - anyone on the local network is able to connect to the MQTT interface on a router and send commands.

https://mjg59.dreamwidth.org/56106.html

Microsoft Exchange Server Vulnerabilities Mitigations - updated March 9, 2021

Microsoft previously blogged our strong recommendation that customers upgrade their on-premises Exchange environments to the latest supported version. For customers that are not able to quickly apply updates, we are providing the following alternative mitigation techniques to help Microsoft Exchange customers who need more time to patch their deployments and are willing to make risk and service function trade-offs. These mitigations are not a remediation if your Exchange servers have already been compromised, nor are they full protection against attack.

https://msrc-blog.microsoft.com:443/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

SharpRDP - PSExec without PSExec, PSRemoting without PowerShell, (Wed, Mar 10th)

With the amount of remediation folks have these days to catch malicious execution of powershell or the use of tools like psexec, red teams have to be asking themselves - what approach is next for lateral movement after you get that first foothold?

https://isc.sans.edu/diary/rss/27188

Researchers Unveil New Linux Malware Linked to Chinese Hackers

Dubbed "RedXOR" by Intezer, the backdoor masquerades as a polkit daemon, with similarities found between the malware and those previously associated with the Winnti Umbrella (or Axiom) threat group such as -PWNLNX, -XOR.DDOS- and Groundhog.

https://thehackernews.com/2021/03/researchers-unveil-new-linux-malware.html

Unpatched Flaws in Netgear Business Switches Expose Organizations to Attacks

Security researchers have identified multiple vulnerabilities in ProSAFE Plus JGS516PE and GS116Ev2 business switches from Netgear, the most severe of which could allow a remote, unauthenticated attacker to execute arbitrary code.

https://www.securityweek.com/unpatched-flaws-netgear-business-switches-expose-organizations-attacks

Targeted HelloKitty Ransomware Attack

SentinelOne has published a blog post analyzing the HelloKitty ransomware family, which was recently leveraged in a targeted attack against CD Projekt Red. HelloKitty appeared in late 2020 and is relatively rudimentary compared to other ransomware families.

https://exchange.xforce.ibmcloud.com/collection/78d773e3e014982f6b10f60ac705950f

Vulnerabilities

Microsoft Patch Tuesday - March 2021

In their March 2021 security updates, Microsoft list eighty-three CVE numbered vulnerabilities. Of those, ten are rated as Critical with the remainder being rated as Important. Aside from the already well publicized exploitation of the Exchange server vulnerabilities, an Internet Explorer vulnerability is reported as being exploited in the wild.

https://exchange.xforce.ibmcloud.com/collection/c82f6a928a7278759e5eec21b3ecc742

Patchday Adobe: Schadcode-Lücken in Connect, Creative Cloud und Framemaker

Der Software-Hersteller Adobe hat in verschiedenen Anwendungen mehrere kritische Sicherheitslücken geschlossen.

https://heise.de/-5076338

Versionsverwaltung Git 2.30.2. behebt Sicherheitslücke beim Klonen

Die Schwachstelle ermöglicht unter bestimmten Umständen das Ausführen von Skripten beim Klonen von Repositories.

https://heise.de/-5076502

SAP-Patchday: Kritische Lücken aus SAP MII und NetWeaver AS für Java beseitigt

SAP hat unter anderem zwei Sicherheitslücken in Manufacturing Integration and Intelligence (MII) & NetWeaver AS JAVA mit CVSS-Scores nahe der 10 geschlossen.

https://heise.de/-5076543

Vulnerability Spotlight: Use-after-free vulnerability in 3MF Consortium lib3mf

3MF Consortium-s lib3mf library is vulnerable to a use-after-free vulnerability that could allow an adversary to execute remote code on the victim machine. The lib3mf library is an open-source implementation of the 3MF file format and standard, mainly used for 3D-printing. An attacker could send a target a specially crafted file to create a use-after-free condition.

https://blog.talosintelligence.com/2021/03/vuln-spotlight-3mf-lib-.html

Security updates for Wednesday

Security updates have been issued by Debian (kernel and privoxy), Fedora (libtpms, privoxy, and x11vnc), openSUSE (chromium), Red Hat (.NET 5.0, .NET Core, .NET Core 2.1, .NET Core 3.1, dotnet, and dotnet3.1), SUSE (git, kernel, openssl-1_1, and wpa_supplicant), and Ubuntu (git and openssh).

https://lwn.net/Articles/848973/

QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes

CB-K21/0250: QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes

http://www.cert-bund.de/advisoryshort/CB-K21-0250

SSA-979775 V1.0: Stack Overflow Vulnerability in SCALANCE and RUGGEDCOM Devices

https://cert-portal.siemens.com/productcert/txt/ssa-979775.txt

Security Bulletin: IBM Security Privileged Identity Manager is affected by a denial of service vulnerability (CVE-2020-2781)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-a-denial-of-service-vulnerability-cve-2020-2781/

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Jan 2021 CPU (CVE-2020-27221)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-for-multiplatforms-jan-2021-cpu-cve-2020-27221/

Security Bulletin: IBM Security Guardium Insights is affected by a Go denial of service vulnerability (CVE-2020-7919)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-a-go-denial-of-service-vulnerability-cve-2020-7919/

Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2020 and Jan 2021

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-edition-quarterly-cpu-oct-2020-and-jan-2021/

Security Bulletin: IBM Security Privileged Identity Manager is affected by a code execution vulnerability (CVE-2020-4464)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-identity-manager-is-affected-by-a-code-execution-vulnerability-cve-2020-4464/

Security Bulletin: IBM API Connect is impacted by vulnerabilities in Docker (CVE-2021-21285, CVE-2021-21284)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-vulnerabilities-in-docker-cve-2021-21285-cve-2021-21284/

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planning (Q12021)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cognos-planning-q12021/

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2020 CPU (CVE-2020-14782)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-application-manager-oct-2020-cpu-cve-2020-14782/

Security Bulletin: WebSphere Application Server is vulnerable to a Directory Traversal vulnerability (CVE-2020-5016)

https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-is-vulnerable-to-a-directory-traversal-vulnerability-cve-2020-5016/

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Jan 2021 CPU (CVE-2020-27221)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-system-automation-application-manager-jan-2021-cpu-cve-2020-27221/

Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22990

https://support.f5.com/csp/article/K45056101?utm_source=f5support&utm_medium=RSS

BIG-IP HTTP/2 vulnerability CVE-2021-22999

https://support.f5.com/csp/article/K02333782?utm_source=f5support&utm_medium=RSS

Appliance mode TMUI authenticated remote command execution vulnerability CVE-2021-22987

https://support.f5.com/csp/article/K18132488?utm_source=f5support&utm_medium=RSS

iControl REST unauthenticated remote command execution vulnerability CVE-2021-22986

https://support.f5.com/csp/article/K03009991?utm_source=f5support&utm_medium=RSS

Advanced WAF/ASM buffer-overflow vulnerability CVE-2021-22992

https://support.f5.com/csp/article/K52510511?utm_source=f5support&utm_medium=RSS

Appliance mode Advanced WAF/ASM TMUI authenticated remote command execution vulnerability CVE-2021-22989

https://support.f5.com/csp/article/K56142644?utm_source=f5support&utm_medium=RSS

glibc vulnerability CVE-2021-3326

https://support.f5.com/csp/article/K44945790?utm_source=f5support&utm_medium=RSS