Tageszusammenfassung - 25.03.2021

End-of-Day report

Timeframe: Mittwoch 24-03-2021 18:00 - Donnerstag 25-03-2021 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Cisco fixt Remote-Lücken in Jabber-Clients für Windows, macOS & mobile Systeme

Ein Update schließt teils als kritisch eingestufte Einfallstore in Ciscos Jabber-Client für Win, macOS, Android & iOS. Auch weitere Produkte erhielten Updates.

https://heise.de/-5997987


IETF erklärt TLS-Urväter 1.0 und 1.1 als veraltet

Schwache Kryptografie und reichlich Sicherheitslücken haben zum Ende von TLS 1.0 und 1.1 geführt.

https://heise.de/-5997963


Fleeceware lockt in Abofallen

Forscher von Avast haben Hunderte von Fleeceware-Mobilfunk-Apps auf Google Play und im Apple App Store entdeckt, mit denen ihre Entwickler Millionen von Dollar verdienen.

https://www.zdnet.de/88394043/fleeceware-lockt-in-abofallen/


QNAP warns of ongoing brute-force attacks against NAS devices

QNAP warns customers of ongoing attacks targeting QNAP NAS (network-attached storage) devices and urges them to immediately take action to mitigate them.

https://www.bleepingcomputer.com/news/security/qnap-warns-of-ongoing-brute-force-attacks-against-nas-devices/


Threat landscape for industrial automation systems. Statistics for H2 2020

We continued our observations and identified a number of trends that could, in our opinion, be due to circumstances connected with the pandemic in one way or another, as well as the reaction of governments, organizations and people to these circumstances.

https://securelist.com/threat-landscape-for-industrial-automation-systems-statistics-for-h2-2020/101299/


Microsoft Exchange Vulnerability (CVE-2021-26855) Scan Analysis

On March 2, 2021, Microsoft disclosed a remote code execution vulnerability in Microsoft Exchange server[1]. We customized our Anglerfish honeypot to simulate and deploy Microsoft Exchange honeypot plug-in on March 3, and soon we started to see a large amount of related data, so far, we have already [...]

https://blog.netlab.360.com/microsoft-exchange-vulnerability-cve-2021-26855-scan-analysis-3/


From Creative Password Hashes to Administrator: Gone in 60 Seconds (Or Thereabouts)

Picture the scene, you-re on an application penetration test (as a normal user) and you-ve managed to bag yourself some password hashes from the application. This can happen in various ways but in my experience, this is often the result of either a SQL injection vulnerability (resulting in the dumping of the users table) or finding that the application (or associated API) spits these hashes out in responses (because they are only hashes and what could go wrong!?).

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-creative-password-hashes-to-administrator-gone-in-60-seconds-or-thereabouts/


Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild

On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme-s "Legacy" Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products [...]

https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-thrive-themes-actively-exploited-in-the-wild/


Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns

The Federal Bureau of Investigation (FBI) this week published an alert to warn of the fact that the Mamba ransomware is abusing the DiskCryptor open source tool to encrypt entire drives, including the operating system.

https://www.securityweek.com/mamba-ransomware-leverages-diskcryptor-encryption-fbi-warns


Webshells Observed in Post-Compromised Exchange Servers

CISA has added two new Malware Analysis Reports (MARs) to Alert AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities. Each new MAR (AR21-084A and AR21-084B) identifies a webshell observed in post-compromised Microsoft Exchange Servers. After successful exploiting a Microsoft Exchange Server vulnerability for initial accesses, a malicious cyber actor can upload a webshell to enable remote administration of the affected system.

https://us-cert.cisa.gov/ncas/current-activity/2021/03/25/webshells-observed-post-compromised-exchange-servers

Vulnerabilities

Kryptobibliothek: OpenSSL-Lücke in Zertifikatschecks

Ein Fehler von OpenSSL bei der Zertifikatsvalidierung betrifft nur wenige Anwendungen, ein weiterer Bug lässt Server abstürzen.

https://www.golem.de/news/kryptobibliothek-openssl-luecke-in-zertifikatschecks-2103-155262-rss.html


SAP® Privilege Escalation durch ABAP Code Injection in SAP® Business Warehouse

Dieser Blogpost soll einen Überblick über eine kritische ABAP Code Injection-Schwachstelle innerhalb des Funktionsbausteins RSDMD_BATCH_CALL im SAP® Business Warehouse geben und dessen Auswirkungen verdeutlichen.

https://sec-consult.com/de/blog/detail/privilege-escalation-abap-code-injection-sap-business-warehouse/


Two Vulnerabilities Patched in Facebook for WordPress Plugin

On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site-s secret salts and keys to achieve remote code execution through a deserialization [...]

https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/


Security updates for Thursday

Security updates have been issued by Debian (firefox-esr and lxml), Fedora (jasper), openSUSE (gnutls, hawk2, ldb, libass, nghttp2, and ruby2.5), Oracle (pki-core:10.6), Red Hat (firefox and thunderbird), SUSE (evolution-data-server, ldb, python3, and zstd), and Ubuntu (ldb, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-signed, linux-snapdragon, and linux, linux-lts-xenial).

https://lwn.net/Articles/850498/


Intel Ethernet controller vulnerabilities CVE-2020-24492, CVE-2020-24493, CVE-2020-24494, CVE-2020-24495, CVE-2020-24496

https://support.f5.com/csp/article/K91610944?utm_source=f5support&utm_medium=RSS


Red Hat OpenShift: Mehrere Schwachstellen

https://www.cert-bund.de/advisoryshort/CB-K21-0308


Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Go vulnerabilities (CVE-2020-28851 and CVE-2020-28852)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-go-vulnerabilities-cve-2020-28851-and-cve-2020-28852/


Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-security-directory-server-3/


Security Bulletin: Operations Dashboard is vulnerable to Go vulnerabilities (CVE-2021-3114 and CVE-2021-3115)

https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-go-vulnerabilities-cve-2021-3114-and-cve-2021-3115/


Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java- Technology Edition affect IBM Operational Decision Manager (Oct 2020 and Jan 2021 CPUs)

https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-affect-ibm-operational-decision-manager-oct-2020-and-jan-2021-cpus/


Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2020-1971)

https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-watson-explorer-foundational-components-cve-2020-1971/


Security Bulletin: App Connect for Manufacturing 2.0 is affected by vulnerabilities of log4j 1.2.17 - Log4j Deserialization Remote Code Execution (CVE-2019-17571)

https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-for-manufacturing-2-0-is-affected-by-vulnerabilities-of-log4j-1-2-17-log4j-deserialization-remote-code-execution-cve-2019-17571/


Security Bulletin: IBM Cloud Pak for Integration is vulnerable to Node.js vulnerabilities (CVE-2020-1971, CVE-2020-8265, and CVE-2020-8287)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-node-js-vulnerabilities-cve-2020-1971-cve-2020-8265-and-cve-2020-8287/


Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26217)

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-xstream-which-is-a-required-product-for-ibm-tivoli-network-configuration-manager-cve-2020-26217/


Security Bulletin: Security vulnerabilities in Java SE affects Rational Build Forge

https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-in-java-se-affects-rational-build-forge-3/


Security Bulletin: A security vulnerability has been identified in Xstream, which is a required product for IBM Tivoli Network Configuration Manager (CVE-2020-26258, CVE-2020-26259)

https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-xstream-which-is-a-required-product-for-ibm-tivoli-network-configuration-manager-cve-2020-26258-cve-2020-26259/