End-of-Day report
Timeframe: Dienstag 18-01-2022 18:00 - Mittwoch 19-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
0.0.0.0 in Emotet Spambot Traffic, (Wed, Jan 19th)
[..] Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address of an Emotet-infected host. This ISC diary reviews the spoofed 0.0.0.0 address used in a recent Emotet infection from Tuesday 2022-01-18.
https://isc.sans.edu/diary/rss/28254
Project Zero: Zooming in on Zero-click Exploits
In the past, I hadn-t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user. However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface. The following post details my investigation into Zoom.
https://googleprojectzero.blogspot.com//2022/01/zooming-in-on-zero-click-exploits.html
Introducing TREVORproxy and TREVORspray 2.0 - Increasing the Speed and Effectiveness of Password Sprays
Classically, password spraying has been the single lowest-effort and highest-yield technique for gaining an initial foothold in an organization. [...] But alas, with increasing Multi-Factor coverage and defensive countermeasures like Smart Lockout, password spraying is becoming more and more of a chore. [...] When I set out to write these tools, the biggest problem I wanted to solve was Smart Lockout. Smart Lockout tries to lock out attackers without locking out legitimate users. So basically,
https://blog.blacklanternsecurity.com/p/introducing-trevorproxy-and-trevorspray
Betrügerische Geldversprechen auf Instagram
Kriminelle richten sich mit ihren betrügerischen Anfragen insbesondere an junge Frauen und Männer. Sie versprechen ihnen hohe Geldbeträge für anzügliche Fotos oder spielen vor, an der Finanzierung des Lifestyles der betroffenen Personen interessiert zu sein. Wer solche Angebote bekommt, sollte unbedingt Abstand nehmen. Denn es handelt sich um einen Vorschussbetrug, bei dem vorab Zahlungen verlangt werden.
https://www.watchlist-internet.at/news/betruegerische-geldversprechen-auf-instagram/
The Perfect Cyber Crime
[..] what if criminals were able to acquire large amounts of victims- credentials without infecting any victim, without the need to build or purchase anything, and without the risk of getting caught? We recently set out to explore this topic and validate our theory that this type of -perfect crime- could be a new reality in cyber security. In this blog, we-ll explain how we were able to obtain large amounts of sensitive data using Google-s VirusTotal service in combination with other known malware services and hacker forums.
https://safebreach.com/blog/2022/the-perfect-cyber-crime/
CVE-2022-21661: Exposing Database Info via WordPress SQL Injection
In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 (ZDI-22-220). This blog covers the root cause of the bug and looks at how the WordPress team chose to address it.
https://www.thezdi.com/blog/2022/1/18/cve-2021-21661-exposing-database-info-via-wordpress-sql-injection
Vulnerabilities
WordPress Plugin WP Visitor Statistics 4.7 SQL Injection
The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks
CVE: CVE-2021-24750
https://cxsecurity.com/issue/WLB-2022010098
Oracle Critical Patch Update Advisory - January 2022
This Critical Patch Update contains 497 new security patches across the (Anm.: 165) product families listed below.
https://www.oracle.com/security-alerts/cpujan2022.html
The ace(r) up your sleeve! Privilege Escalation vulnerability in Acer Care Center (CVE-2021-45975)
Acer ships most of the laptop it sells with a software suite called Care Center Service installed. In versions up to 4.00.3038 included, one of the suite-s programs is an executable named ListCheck.exe, which runs at logon with the highest privilege available and suffers from a phantom DLL hijacking. This can lead to a privilege escalation when an administrator logs in.
https://aptw.tf/2022/01/20/acer-care-center-privesc.html
Sicherheitsupdate: Mediaplayer Nvidia Shield TV für Schadcode-Attacke anfällig
Die Entwickler haben mehrere Lücken in der Android-Version für Nvidia Shield TV geschlossen. Insgesamt gilt das Risiko als hoch.
https://heise.de/-6332144
Security updates for Wednesday
Security updates have been issued by CentOS (firefox, gegl, kernel, and thunderbird), Debian (nvidia-graphics-drivers), Fedora (btrbk and thefuck), Mageia (clamav, kernel, kernel-linus, vim, and wpa_supplicant), openSUSE (java-1_8_0-ibm, jawn, nodejs12, nodejs14, SDL2, and virglrenderer), Red Hat (gegl, gegl04, java-17-openjdk, and kernel-rt), Scientific Linux (gegl and httpd), SUSE (apache2, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libvirt, nodejs12, nodejs14, openstack-monasca-agent, spark, spark-kit, zookeeper, python-Django, python-Django1, python-numpy, virglrenderer), Ubuntu (byobu, clamav, ruby2.3, ruby2.5, ruby2.7).
https://lwn.net/Articles/881810/
Cisco Redundancy Configuration Manager for Cisco StarOS Software Multiple Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rcm-vuls-7cS3Nuq
Cisco Webex Meetings Cross-Site Scripting Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-xss-FmbPu2pe
Multiple Cisco Products Snort Modbus Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-9D3hJLuj
Multiple Cisco Products CLI Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cli-cmdinj-4MttWZPB
ConfD CLI Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-confdcli-cmdinj-wybQDSSh
Security Advisory - Release of Invalid Pointer Vulnerability in OptiX OSN 9800 U32 Product
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-01-invalid-en
Security Advisory - Information Exposure Vulnerability on Several Huawei Products
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-01-infodis-en
Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus V10 (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache-log4j-affect-ibm-app-connect-enterprise-v11-v12-and-ibm-integration-bus-v10-cve-2021-44832-2/
Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35619)
https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-strategic-supply-management-platform-cve-2021-35619/
Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-private-cve-2021-45046-3/
Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35619)
https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-program-management-cve-2021-35619/
Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-may-affect-ibm-sterling-b2b-integrator-cve-2021-44228-5/
Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35619)
https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-contract-management-cve-2021-35619/
Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-b2b-integrator-cve-2021-45105-cve-2021-45046-7/
Security Bulletin: Apache Log4j vulnerability affects IBM Cloud Pak for Multicloud Management (CVE-2021-44832)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-cloud-pak-for-multicloud-management-cve-2021-44832/
Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-file-gateway-cve-2021-44228-6/
Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45105)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-private-cve-2021-45105-3/
Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35619)
https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-supplier-lifecycle-management-cve-2021-35619/
Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-log4j-affects-ibm-cloud-private-cve-2021-44228-4/
Security Bulletin: IBM TRIRIGA Connector for Esri ArcGIS Indoors a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-connector-for-esri-arcgis-indoors-a-component-of-ibm-tririga-portfolio-data-manager-is-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j/
Security Bulletin: Due to use of Apache Log4j, IBM Cloud PAK for Watson AI Ops is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105)
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-cloud-pak-for-watson-ai-ops-is-vulnerable-to-arbitrary-code-execution-cve-2021-45046-and-denial-of-service-cve-2021-45105/
Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-an-information-disclosure-cve-2022-22310/
Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerability-affects-ibm-sterling-file-gateway-cve-2021-45105-cve-2021-45046-7/
Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35619)
https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vulnerability-affects-ibm-emptoris-sourcing-cve-2021-35619/
Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 1.0
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affects-ibm-cloud-pak-for-data-system-1-0-3/
An update on the Apache Log4j 2.x vulnerabilities
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/
K61112120: BIG-IP ASM and Advanced WAF TMUI vulnerability CVE-2022-23031
https://support.f5.com/csp/article/K61112120
K96924184: F5 HTTP profile vulnerability CVE-2022-23022
https://support.f5.com/csp/article/K96924184
K82793463: BIG-IP MRF Diameter vulnerability CVE-2022-23019
https://support.f5.com/csp/article/K82793463
K41503304: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature bypass security exposure
https://support.f5.com/csp/article/K41503304
K53442005: BIG-IP VE vulnerability CVE-2022-23030
https://support.f5.com/csp/article/K53442005
K16101409: BIG-IP AFM vulnerability CVE-2022-23028
https://support.f5.com/csp/article/K16101409
K28042514: BIG-IP TMM and DNS profile vulnerability CVE-2022-23017
https://support.f5.com/csp/article/K28042514
K91013510: SSL Forward Proxy vulnerability CVE-2022-23016
https://support.f5.com/csp/article/K91013510
K08476614: BIG-IP Client SSL profile vulnerability CVE-2022-23015
https://support.f5.com/csp/article/K08476614
K17514331: BIG-IP TMM vulnerability CVE-2022-23020
https://support.f5.com/csp/article/K17514331
K93526903: BIG-IP APM portal access vulnerability CVE-2022-23014
https://support.f5.com/csp/article/K93526903
K30525503: BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032
https://support.f5.com/csp/article/K30525503
K54892865: BIG-IP AFM vulnerability CVE-2022-23024
https://support.f5.com/csp/article/K54892865
K29500533: TMUI XSS vulnerability CVE-2022-23013
https://support.f5.com/csp/article/K29500533
K50343028: BIG-IP FastL4 profile vulnerability CVE-2022-23029
https://support.f5.com/csp/article/K50343028
K68755210: BIG-IP SYN Cookie Protection vulnerability CVE-2022-23011
https://support.f5.com/csp/article/K68755210
K26310765: HTTP/2 profile vulnerability CVE-2022-23012
https://support.f5.com/csp/article/K26310765
K34360320: BIG-IP FastL4 vulnerability CVE-2022-23010
https://support.f5.com/csp/article/K34360320
K30911244: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature check failure
https://support.f5.com/csp/article/K30911244
K17514331: BIG-IP TMM vulnerability CVE-2022-23020
https://support.f5.com/csp/article/K17514331
K41415626: Transparent DNS Cache can consume excessive resources
https://support.f5.com/csp/article/K41415626
K44110411: BIG-IP SIP ALG vulnerability CVE-2022-23025
https://support.f5.com/csp/article/K44110411
K08402414: BIG-IP ASM and Advanced WAF REST API endpoint vulnerability CVE-2022-23026
https://support.f5.com/csp/article/K08402414
K11742742: iControl REST vulnerability CVE-2022-23023
https://support.f5.com/csp/article/K11742742
K30573026: BIG-IP virtual server with FastL4 profile vulnerability CVE-2022-23027
https://support.f5.com/csp/article/K30573026
K24358905: BIG-IP AFM virtual server vulnerability CVE-2022-23018
https://support.f5.com/csp/article/K24358905
Multiple vulnerabilities in Bosch AMC2 (Access Modular Controller)
https://psirt.bosch.com/security-advisories/bosch-sa-940448-bt.html