End-of-Day report
Timeframe: Mittwoch 24-03-2021 18:00 - Donnerstag 25-03-2021 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Cisco fixt Remote-Lücken in Jabber-Clients für Windows, macOS & mobile Systeme
Ein Update schließt teils als kritisch eingestufte Einfallstore in Ciscos Jabber-Client für Win, macOS, Android & iOS. Auch weitere Produkte erhielten Updates.
https://heise.de/-5997987
IETF erklärt TLS-Urväter 1.0 und 1.1 als veraltet
Schwache Kryptografie und reichlich Sicherheitslücken haben zum Ende von TLS 1.0 und 1.1 geführt.
https://heise.de/-5997963
Fleeceware lockt in Abofallen
Forscher von Avast haben Hunderte von Fleeceware-Mobilfunk-Apps auf Google Play und im Apple App Store entdeckt, mit denen ihre Entwickler Millionen von Dollar verdienen.
https://www.zdnet.de/88394043/fleeceware-lockt-in-abofallen/
QNAP warns of ongoing brute-force attacks against NAS devices
QNAP warns customers of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urges them to immediately take action to mitigate them.
https://www.bleepingcomputer.com/news/security/qnap-warns-of-ongoing-brute-force-attacks-against-nas-devices/
Threat landscape for industrial automation systems. Statistics for H2 2020
We continued our observations and identified a number of trends that could, in our opinion, be due to circumstances connected with the pandemic in one way or another, as well as the reaction of governments, organizations and people to these circumstances.
https://securelist.com/threat-landscape-for-industrial-automation-systems-statistics-for-h2-2020/101299/
Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis
On March 2, 2021, Microsoft disclosed a remote code execution vulnerability in Microsoft Exchange server[1]. We customized our Anglerfish honeypot to simulate and deploy Microsoft Exchange honeypot plug-in on March 3, and soon we started to see a large amount of related data, so far, we have already [...]
https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855-scan-analysis-3/
From Creative Password Hashes to Administrator: Gone in 60 Seconds (Or Thereabouts)
Picture the scene, you-re on an application penetration test (as a normal user) and you-ve managed to bag yourself some password hashes from the application. This can happen in various ways but in my experience, this is often the result of either a SQL injection vulnerability (resulting in the dumping of the users table) or finding that the application (or associated API) spits these hashes out in responses (because they are only hashes and what could go wrong!?).
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-creative-password-hashes-to-administrator-gone-in-60-seconds-or-thereabouts/
Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild
On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme-s "Legacy" Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products [...]
https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-thrive-themes-actively-exploited-in-the-wild/
Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns
The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system.
https://www.securityweek.com/mamba-ransomware-leverages-diskcryptor-encryption-fbi-warns
Webshells Observed in Post-Compromised Exchange Servers
CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each new MAR (AR21-084A and AR21-084B) identifies a webshell observed in post-compromised Microsoft Exchange Servers. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system.
https://us-cert.cisa.gov/ncas/current-activity/2021/03/25/webshells-observed-post-compromised-exchange-servers
Vulnerabilities
Kryptobibliothek: OpenSSL-Lücke in Zertifikatschecks
Ein Fehler von OpenSSL bei der Zertifikatsvalidierung betrifft nur wenige Anwendungen, ein weiterer Bug lässt Server abstürzen.
https://www.golem.de/news/kryptobibliothek-openssl-luecke-in-zertifikatschecks-2103-155262-rss.html
SAP® Privilege Escalation durch ABAP Code Injection in SAP® Business Warehouse
Dieser Blogpost soll einen Überblick über eine kritische ABAP Code Injection-Schwachstelle innerhalb des Funktionsbausteins RSDMD_BATCH_CALL im SAP® Business Warehouse geben und dessen Auswirkungen verdeutlichen.
https://sec-consult.com/de/blog/detail/privilege-escalation-abap-code-injection-sap-business-warehouse/
Two Vulnerabilities Patched in Facebook for WordPress Plugin
On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site-s secret salts and keys to achieve remote code execution through a deserialization [...]
https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr and lxml), Fedora (jasper), openSUSE (gnutls, hawk2, ldb, libass, nghttp2, and ruby2.5), Oracle (pki-core:10.6), Red Hat (firefox and thunderbird), SUSE (evolution-data-server, ldb, python3, and zstd), and Ubuntu (ldb, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-signed, linux-snapdragon, and linux, linux-lts-xenial).
https://lwn.net/Articles/850498/
Intel Ethernet controller vulnerabilities CVE-2020-24492, CVE-2020-24493, CVE-2020-24494, CVE-2020-24495, CVE-2020-24496
https://support.f5.com/csp/article/K91610944?utm_source=f5support&utm_medium=RSS
Red Hat OpenShift: Mehrere Schwachstellen
https://www.cert-bund.de/advisoryshort/CB-K21-0308
Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Go vulnerabilities (CVE-2020-28851 and CVE-2020-28852)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-go-vulnerabilities-cve-2020-28851-and-cve-2020-28852/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-security-directory-server-3/
Security Bulletin: Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-3114 and CVE-2021-3115)
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-go-vulnerabilities-cve-2021-3114-and-cve-2021-3115/
Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java- Technology Edition affect IBM Operational Decision Manager (Oct 2020 and Jan 2021 CPUs)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-affect-ibm-operational-decision-manager-oct-2020-and-jan-2021-cpus/
Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2020-1971)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-watson-explorer-foundational-components-cve-2020-1971/
Security Bulletin: App Connect for Manufacturing 2.0 is affected by vulnerabilities of log4j 1.2.17 - Log4j Deserialization Remote Code Execution (CVE-2019-17571)
https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-for-manufacturing-2-0-is-affected-by-vulnerabilities-of-log4j-1-2-17-log4j-deserialization-remote-code-execution-cve-2019-17571/
Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js vulnerabilities (CVE-2020-1971, CVE-2020-8265, and CVE-2020-8287)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-node-js-vulnerabilities-cve-2020-1971-cve-2020-8265-and-cve-2020-8287/
Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26217)
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-xstream-which-is-a-required-product-for-ibm-tivoli-network-configuration-manager-cve-2020-26217/
Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-java-se-affects-rational-build-forge-3/
Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26258, CVE-2020-26259)
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-xstream-which-is-a-required-product-for-ibm-tivoli-network-configuration-manager-cve-2020-26258-cve-2020-26259/