End-of-Day report
Timeframe: Donnerstag 02-09-2021 18:00 - Freitag 03-09-2021 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
News
A deep-dive into the SolarWinds Serv-U SSH vulnerability
We're sharing technical information about the vulnerability tracked as CVE-2021-35211, which was used to attack the SolarWinds Serv-U FTP software in limited and targeted attacks.
https://www.microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/
From RpcView to PetitPotam
In the previous post we saw how to set up a Windows 10 machine in order to manually analyze Windows RPC with RpcView. In this post, we will see how the information provided by this tool can be used to create a basic RPC client application in C/C++. Then, we will see how we can reproduce the trick used in the PetitPotam tool.
https://itm4n.github.io/from-rpcview-to-petitpotam/
PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers
The Exploit Chain Explained - ProxyShell refers to a chain of attacks that exploit three different vulnerabilities affecting on-premises Microsoft Exchange servers to achieve pre-authenticated remote code execution (RCE).
http://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html
Jetzt patchen! Krypto-Miner schlüpft durch Confluence-Lücke
Angreifer nutzen derzeit aktiv eine kritische Sicherheitslücke in der Wiki-Software Confluence aus. Ein Sicherheitsupdate ist verfügbar.
https://heise.de/-6181023
From open Guest Wi-Fi to pwning a lift or why validating network segregation is critical
TL;DR A recent engagement took quite an unexpected turn and led to me having remote control of a bunch of building services including a lift from the street outside, unauthenticated.
https://www.pentestpartners.com/security-blog/from-open-guest-wi-fi-to-pwning-a-lift/
Shodan Verified Vulns 2021-09-01
Mit 2021-09-01 sah die Lage laut den Daten in unserer Shodan-Datenbank wie folgt aus: Während der Großteil sich zu den Vormonaten wenig verändert hat, gibt es zwei größere Änderungen:
* Im Zuge der BlackHat 2021 USA stellte der Sicherheitsforscher Orange Tsai eine neue Exploit-Chain gegen Microsoft Exchange Server vor, die "ProxyShell" genannt wurde...
* Außerdem neu ist CVE-2021-31206, eine - wie auch ProxyShell - im Zuge des diesjährigen Pwn2Own-Contests der Zero Day Initiative gefundene Schwachstelle, die ebenfalls zu einer Remote-Code-Execution führen kann.
https://cert.at/de/aktuelles/2021/9/shodan-verified-vulns-2021-09-01
Vulnerabilities
IBM Security Bulletins
IBM hat 19 Security Bulletins zu diversen Schwachstellen veröffentlicht.
https://www.ibm.com/blogs/psirt/2021/09/
Security updates for Friday
Security updates have been issued by Debian (qemu), Fedora (condor, grilo, libopenmpt, opencryptoki, and php), openSUSE (xen), and SUSE (ffmpeg, file, php72, rubygem-addressable, and xen).
https://lwn.net/Articles/868282/
Microsoft Edge: Mehrere Schwachstelle
Edge ist ein Web Browser von Microsoft.
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Microsoft Edge ausnutzen, um einen Angriff mit unbekannten Auswirkungen durchzuführen.
http://www.cert-bund.de/advisoryshort/CB-K21-0934
CVE-2021-2429: A Heap-based Buffer Overflow Bug in the MySQL InnoDB memcached Plugin
The vulnerability affects MySQL versions 8.0.25 and prior. It can be triggered remotely and without authentication. Attackers can leverage this vulnerability to execute arbitrary code on the MySQL database server. Oracle patched it in July and assigned it CVE-2021-2429, while ZDI-s identifier is ZDI-2021-889.
...
Although the InnoDB memcached plugin is not enabled by default, it is nonetheless wise to apply the patch as soon as possible. It would not surprise me to see a reliable full exploit in the near future.
https://www.thezdi.com/blog/2021/9/2/cve-2021-2429-a-heap-based-buffer-overflow-bug-in-the-mysql-innodb-memcached-plugin
2021-06-03: Cybersecurity Advisory - Multiple Vulnerabilities in Automation Runtime NTP Service
https://www.br-automation.com/downloads_br_productcatalogue/assets/1621259206592-en-original-1.0.pdf
SECURITY - ABB Base Software for SoftControl Remote Code Execution vulnerability
https://search.abb.com/library/Download.aspx?DocumentID=2PAA122974&LanguageCode=en&DocumentPartId=&Action=Launch
Security Bulletin: IBM Cloud Private is vulnerable to OpenSSL vulnerabilities (CVE-2021-23839, CVE-2021-23840, CVE-2021-23841)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-openssl-vulnerabilities-cve-2021-23839-cve-2021-23840-cve-2021-23841/
Security Bulletin: IBM Cloud Private is vulnerable to Elastic vulnerabilities (CVE-2020-7021 )
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-elastic-vulnerabilities-cve-2020-7021/
Security Bulletin: IBM Cloud Private is vulnerable to Node.js lodash vulnerabilities (CVE-2020-28500)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-node-js-lodash-vulnerabilities-cve-2020-28500/
Security Bulletin: IBM Cloud Private is vulnerable to OpenSSL and Node.js vulnerabilities (CVE-2021-23840, CVE-2021-22884, CVE-2021-22883)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-openssl-and-node-js-vulnerabilities-cve-2021-23840-cve-2021-22884-cve-2021-22883/
Security Bulletin: IBM Cloud Private is vulnerable to a Go vulnerability (CVE-2021-27919, CVE-2021-27918)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-a-go-vulnerability-cve-2021-27919-cve-2021-27918/
Security Bulletin: IBM Cloud Private is vulnerable to OpenSSL vulnerabilities (CVE-2021-3449, CVE-2021-3450)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-openssl-vulnerabilities-cve-2021-3449-cve-2021-3450/
Security Bulletin: IBM Cloud Private is vulnerable to Apache vulnerabilities (CVE-2021-26296)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-apache-vulnerabilities-cve-2021-26296/
Security Bulletin: IBM Cloud Private is vulnerable to Dojo vulnerabilities (CVE-2020-5258)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-dojo-vulnerabilities-cve-2020-5258/