End-of-Day report
Timeframe: Mittwoch 12-01-2022 18:00 - Donnerstag 13-01-2022 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
News
19-jähriger Hacker kann Teslas in 13 Ländern fernsteuern
Der junge IT-Sicherheitsexperte kann die Autos lokalisieren, Türen öffnen und das Entertainment-System fernsteuern. [..] In einem Twitter-Beitrag, den er am Montag veröffentlichte, erklärte er auch, dass es sich bei dem Fehler nicht um eine Schwachstelle in der Infrastruktur von Tesla handelt. Es sei der Fehler der Besitzer*innen. Weiters schreibt Colombo, dass er das Problem an das Sicherheitsteam von Tesla gemeldet hat, das die Angelegenheit untersucht.
https://futurezone.at/digital-life/19-jaehriger-hacker-25-teslas-in-13-laendern-fernsteuern/401870459
Adobe Cloud Abused to Steal Office 365, Gmail Credentials
Threat actors are creating accounts within the Adobe Cloud suite and sending images and PDFs that appear legitimate to target Office 365 and Gmail users, researchers from Avanan discovered.
https://threatpost.com/adobe-cloud-steal-office-365-gmail-credentials/177625/
Decrypting Qakbot-s Encrypted Registry Keys
One new skill is to insert encrypted data into the registry. One of the requests we received from Trustwave-s DFIR and Global Threats Operations teams is for us to decrypt the registry data that Qakbot created. We duly jumped into this task, and, as it was a bit of fun, decided to blog about it.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-qakbots-encrypted-registry-keys/
Viele Lücken im Software-System Jenkins entdeckt - und noch nicht geschlossen
Entwickler sollten ihre Jenkins-Umgebung aus Sicherheitsgründen auf den aktuellen Stand bringen. Viele Updates sind jedoch noch nicht verfügbar.
https://heise.de/-6326362
84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability
We sent the full disclosure details on November 5, 2021, after the developer confirmed the appropriate channel to handle communications. After several follow-ups a patched version of -Login/Signup Popup- was released on November 24, 2021, while patched versions of -Side Cart Woocommerce (Ajax)- and -Waitlist Woocommerce ( Back in stock notifier )- were released on December 17, 2021. We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins..
https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/
Free Micropatches for "RemotePotato0", a "WONT FIX" Local Privilege Escalation Affecting all Windows Systems
[..] a local privilege escalation vulnerability they had found in Windows and reported to Microsoft, who decided not to fix because "Servers must defend themselves against NTLM relay attacks." As far as real world goes, many servers do not, in fact, defend themselves against NTLM relay attacks. Since the vulnerability is present on all supported Windows versions as of today (as well as all unsupported versions which we had security-adopted), we decided to fix it ourselves.
https://blog.0patch.com/2022/01/free-micropatches-for-remotepotato0.html
Code-Signatur-Prozesse sichern
DevOps steht unter Druck, wie unter anderem bei der Attacke auf SolarWinds offenkundig wurde. Fünf Wege zur Absicherung von Code-Signatur-Prozessen schildert Tony Hadfield, Director Solutions Architect bei Venafi, in einem Gastbeitrag.
https://www.zdnet.de/88398761/code-signatur-prozesse-sichern/
Vulnerabilities
Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master"
* Cross-site request forgery (CWE-352) - CVE-2022-0180
* Reflected cross-site scripting (CWE-79) - CVE-2022-0181
* Stored cross-site scripting (CWE-79) - CVE-2022-0182
Solution: Update the plugin
https://jvn.jp/en/jp/JVN72788165/
Juniper Security Advisories
Juniper hat 34 Security Advisories veröffentlicht.
https://kb.juniper.net/InfoCenter/index/content&channel=SECURITY_ADVISORIES&cat=SIRT_1&actp=&sort=documentid&dir=descending&max=34&batch=34&itData.offset=0
Klartextspeicherung des Kennwortes in Cisco IP Telefonen
Mehrere Cisco IP Telefone speichern das konfigurierte Verwalterkennwort als Klartext im unverschlüsselten Flash Speicher. Somit ist die Extrahierung des Kennworts bei physischem Zugriff auf ein Telefon problemlos möglich. Wird dieses Kennwort nun bei mehreren Telefonen verwendet, bekommt ein Angreifer Zugriff auf die administrativen Einstellungen aller Geräte im Netzwerk.
https://sec-consult.com/de/vulnerability-lab/advisory/klartextspeicherung-des-kennwortes-in-cisco-ip-telefonen/
Apache Log4j vulnerabilities (Log4Shell) - impact on ABB products
Product / System line - Potentially affected products and versions
* B&R Products - See further details in specific advisory
* ABB Remote Service - ABB Remote Access Platform (RAP)
https://search.abb.com/library/Download.aspx?DocumentID=9ADB012621&LanguageCode=en&DocumentPartId=&Action=Launch
iOS 15.2.1 und iPadOS 15.2.1: Wartungsupdates für iPhone und iPad
Apple hat eine Bugfix- und Sicherheitsaktualisierung für seine Handys und Tablets. Neben einigen Fehler wird auch ein Sicherheitsproblem behoben.
https://heise.de/-6325566
Sicherheitsupdate: Schadcode-Lücke bedroht Computer mit HP-UX
HPE-Entwickler haben eine kritische Schwachstelle im Unix-Betriebssystem HP-UX geschlossen.
https://heise.de/-6326104
IBM sichert sein Server- und Workstation-System AIX ab
Angreifer könnten AIX-Systeme von IBM attackieren und Schadcode ausführen. Sicherheitsupdates sind verfügbar.
https://heise.de/-6326080
Security updates for Thursday
Security updates have been issued by Debian (epiphany-browser, lxml, and roundcube), Fedora (gegl04, mingw-harfbuzz, and mod_auth_mellon), openSUSE (openexr and python39-pip), Oracle (firefox and thunderbird), Red Hat (firefox and thunderbird), SUSE (apache2, openexr, python36-pip, and python39-pip), and Ubuntu (apache-log4j1.2, ghostscript, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, and systemd).
https://lwn.net/Articles/881303/
Cisco Patches Critical Vulnerability in Contact Center Products
Cisco on Wednesday announced patches for a critical vulnerability in Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited remotely to elevate privileges to administrator.
https://www.securityweek.com/cisco-patches-critical-vulnerability-contact-center-products
Citrix Hypervisor Security Update - CTX335432
Several security issues have been identified in Citrix Hypervisor, that may each allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues have the following identifiers: CVE-2021-28704, CVE-2021-28705, CVE-2021-28714, CVE-2021-28715
All of these issues affect all currently supported versions of Citrix Hypervisor. Citrix has released hotfixes to address these issues
https://support.citrix.com/article/CTX335432
CVE-2022-0015 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: HIGH)
A local privilege escalation (PE) vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables an authenticated local user to execute programs with elevated privileges.
This issue impacts:
* Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12;
* Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9.
https://security.paloaltonetworks.com/CVE-2022-0015
Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45046-cve-2021-44228/
Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Archive Enterprise Edition (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-spectrum-archive-enterprise-edition-cve-2021-44228-2/
Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Archive Enterprise Edition (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-spectrum-archive-enterprise-edition-cve-2021-45105-cve-2021-45046/
Security Bulletin: Rational Asset Analyzer (RAA) is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104)
https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-raa-is-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-4104/
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-used-by-ibm-websphere-application-server/
Security Bulletin: IBM PowerVM Novalink is vulnerable to allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system due to Apache Log4j (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-vulnerable-to-allow-a-remote-attacker-with-permission-to-modify-the-logging-configuration-file-to-execute-arbitrary-code-on-the-system-due-to-apache-log4j/
Security Bulletin: IBM Engineering Lifecycle Management products are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, ) and denial of service due to Apache Log4j (CVE-2021-45105)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle-management-products-are-vulnerable-to-arbitrary-code-execution-due-to-apache-log4j-cve-2021-44832-cve-2021-45046-and-denial-of-service-due-to-apache-l-2/
Security Bulletin: IBM Db2 Big SQL for Hortonworks Data Platform, for Cloudera Data Platform Private Cloud, and IBM Db2 Big SQL on Cloud Pak for Data are affected by critical vulnerability in Log4j (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-for-hortonworks-data-platform-for-cloudera-data-platform-private-cloud-and-ibm-db2-big-sql-on-cloud-pak-for-data-are-affected-by-critical-vulnerability-in-log4j-3/
Security Bulletin: The IBM i Extended Dynamic Remote SQL server (EDRSQL) is affected by CVE-2021-39056
https://www.ibm.com/blogs/psirt/security-bulletin-the-ibm-i-extended-dynamic-remote-sql-server-edrsql-is-affected-by-cve-2021-39056/
January 12, 2022 TNS-2022-03 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202201.1
http://www.tenable.com/security/tns-2022-03
CVE-2022-0014 Cortex XDR Agent: Unintended Program Execution When Using Live Terminal Session (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2022-0014
CVE-2022-0013 Cortex XDR Agent: File Information Exposure Vulnerability When Generating Support File (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2022-0013
CVE-2022-0012 Cortex XDR Agent: Local Arbitrary File Deletion Vulnerability (Severity: MEDIUM)
https://security.paloaltonetworks.com/CVE-2022-0012