Tageszusammenfassung - 13.07.2021

End-of-Day report

Timeframe: Montag 12-07-2021 18:00 - Dienstag 13-07-2021 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer

News

Trickbot Activity Increases; new VNC Module On the Radar

Despite the takedown attempt, Trickbot is more active than ever. In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets.

https://www.bitdefender.com/blog/labs/trickbot-activity-increases-new-vnc-module-on-the-radar

Buchen Sie Ihre Unterkunft nicht auf fewolio.de

fewolio.de ist eine unseriöse Buchungsplattform für luxuriöse Ferienhäuser in Deutschland. Die betrügerische Plattform sticht vor allem durch ihre günstigen Preise und kurzfristigen Verfügbarkeiten hervor.

https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-auf-fewoliode/

Vulnerabilities

IT-Sicherheit: Neue Sicherheitslücke bei Solarwinds

Bei einer Dateiaustausch-Software von Solarwinds gab es Probleme. Ein Angreifer hat die Sicherheitslücke offenbar aktiv ausgenutzt.

https://www.golem.de/news/it-sicherheit-neue-sicherheitsluecke-bei-solarwinds-2107-158086-rss.html

ModiPwn

Armis researchers discover a critical vulnerability in Schneider Electric Modicon PLCs. The vulnerability can allow attackers to bypass authentication mechanisms which can lead to native remote-code-execution on vulnerable PLCs.

https://www.armis.com/research/modipwn/

Siemens Security Advisories 2021-07-13

Siemens hat 18 neue und 5 aktualisierte Security Advisories veröffentlicht. (CVSS Scores von 5.3 bis 9.8)

https://new.siemens.com/de/de/produkte/services/cert.html

Citrix Virtual Apps and Desktops Security Update

A vulnerability has been identified in Citrix Virtual Apps and Desktops that could, if exploited, allow a user of a Windows VDA that has either Citrix Profile Management or Citrix Profile Management WMI Plugin installed to escalate their privilege level on that Windows VDA to SYSTEM.

https://support.citrix.com/article/CTX319750

Examining Crypto and Bypassing Authentication in Schneider Electric PLCs (M340/M580)

What you see in the picture above is similar to what you might see at a factory, plant, or inside a machine. At the core of it is Schneider Electric-s Modicon M340 programmable logic controller (PLC).

https://medium.com/tenable-techblog/examining-crypto-and-bypassing-authentication-in-schneider-electric-plcs-m340-m580-f37cf9f3ff34

Security updates for Tuesday

Security updates have been issued by Debian (sogo), Fedora (libvirt), Gentoo (polkit), Mageia (binutils, freeradius, guile1.8, kernel, kernel-linus, libgrss, mediawiki, mosquitto, php-phpmailer, and webmin), openSUSE (bluez and jdom2), Oracle (kernel and xstream), Scientific Linux (xstream), and SUSE (kernel and python-pip).

https://lwn.net/Articles/862767/

Recently Patched ForgeRock AM Vulnerability Exploited in Attacks

Government agencies in the United States and Australia warn organizations that a recently patched vulnerability affecting ForgeRock Access Management has been exploited in the wild.

https://www.securityweek.com/recently-patched-forgerock-am-vulnerability-exploited-attacks

ZDI-21-786: Trend Micro Apex One Incorrect Permission Assignment Denial-of-Service Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-21-786/

ZDI-21-789: (0Day) GoPro Player MOV File Parsing Use-After-Free Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-21-789/

ZDI-21-788: (0Day) GoPro Player MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-21-788/

ZDI-21-787: (0Day) GoPro Player MOV File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-21-787/

SAP Software: Mehrere Schwachstellen

https://www.cert-bund.de/advisoryshort/CB-K21-0734

Security Bulletin: A vulnerability was found in Oniguruma 6.9.2 that would result in a NULL Pointer Dereference, affecting IBM Cloud Pak for Applications

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-found-in-oniguruma-6-9-2-that-would-result-in-a-null-pointer-dereference-affecting-ibm-cloud-pak-for-applications/

Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 where insecure http communications is used

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-found-in-ibm-cloud-pak-for-applications-v4-3-where-insecure-http-communications-is-used/

Security Bulletin: An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator, affecting IBM Cloud Pak for Applications

https://www.ibm.com/blogs/psirt/security-bulletin-an-out-of-bounds-read-vulnerability-was-found-in-the-slirp-networking-implementation-of-the-qemu-emulator-affecting-ibm-cloud-pak-for-applications/

Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 where an error message may disclose implementation details

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-found-in-ibm-cloud-pak-for-applications-v4-3-where-an-error-message-may-disclose-implementation-details/

Security Bulletin: IBM Cloud Pak for Applications v4.3 does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-applications-v4-3-does-not-properly-assign-modify-track-or-check-privileges-for-an-actor-creating-an-unintended-sphere-of-control-for-that-actor/

Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack due to target blank set in HTML anchor tags

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-found-in-ibm-cloud-pak-for-applications-v4-3-that-exposes-a-cross-site-scripting-attack-due-to-target-blank-set-in-html-anchor-tags/

Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 which may allow a malicious attacker to obtain sensitive user information from memory

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-found-in-ibm-cloud-pak-for-applications-v4-3-which-may-allow-a-malicious-attacker-to-obtain-sensitive-user-information-from-memory/

Security Bulletin: A vulnerabilty has been found in x/test pacakge before 0.3.3 for Go that could lead to an infinite loop, affecting IBM Cloud Pak for Applications

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilty-has-been-found-in-x-test-pacakge-before-0-3-3-for-go-that-could-lead-to-an-infinite-loop-affecting-ibm-cloud-pak-for-applications/

Security Bulletin: A vulnerability has been found in IBM Cloud Pak for Applications v4.3 that exposes the possibility of a cross-site scripting attack.

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-found-in-ibm-cloud-pak-for-applications-v4-3-that-exposes-the-possibility-of-a-cross-site-scripting-attack/

Security Bulletin: A vulnerability has been identified in IBM Cloud Pak for Applications v4.3 that exposes a cross-site scripting attack.

https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-cloud-pak-for-applications-v4-3-that-exposes-a-cross-site-scripting-attack/

Security Advisories SYSS-2021-022, SYSS-2021-023, SYSS-2021-025 und SYSS-2021-026 zu P&I-Software LOGA3

https://www.syss.de/pentest-blog/security-advisories-syss-2021-022-syss-2021-023-syss-2021-025-und-syss-2021-026-zu-pi-software-loga3

SYSS-2021-020, SYSS-2021-021, SYSS-2021-027: Mehrere Schwachstellen in Element-IT HTTP Commander

https://www.syss.de/pentest-blog/syss-2021-020-syss-2021-021-syss-2021-027-mehrere-schwachstellen-in-element-it-http-commander