End-of-Day report
Timeframe: Dienstag 25-01-2022 18:00 - Mittwoch 26-01-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
ALPN: Ein Prozent der Lets-Encrypt-Zertifikate wird zurückgezogen
Lets Encrypt teilt mit, dass es Probleme bei der ALPN-Validierungsmethode gab und damit ausgestellte Zertifikate zurückgezogen werden.
https://www.golem.de/news/alpn-ein-prozent-der-let-s-encrypt-zertifikate-wird-zurueckgezogen-2201-162695-rss.html
Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW, (Wed, Jan 26th)
Integrated Lights-Out (iLO) is a low-level server management system intended for out-of-band configuration, which is embedded by Hewlett-Packard Enterprise on some of their servers. Besides its use for maintenance, it is often used by administrators for an emergency access to the server when everything "above it" (hypervisor or OS) fails and/or is unreachable. Since these kinds of platforms/interfaces are quite sensitive from the security standpoint, access to them should always be limited to relevant administrator groups only and their firmware should always be kept up to date.
https://isc.sans.edu/diary/rss/28276
German govt warns of APT27 hackers backdooring business networks
"It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack)." The BfV also published indicators of compromise (IOCs) and YARA rules to help targeted German organizations to check for HyperBro infections and connections to APT27 command-and-control (C2) servers.
https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/
Sysdig-Report: Container-Deployments weisen mehrheitlich Schwachstellen auf
Sysdig beobachtet einen anhaltenden Shift Left bei Container Security, viele Schwachstellen bleiben aber ungepatcht und Rechte-Konfigurationen unzureichend.
https://heise.de/-6336816
Root-Zugriff unter Linux durch Polkit-Lücke
Sicherheitsforscher haben eine Schwachstelle in Polkit entdeckt, die Rechteausweitung ermöglicht. Für die viele Distributionen sind bereits Patches verfügbar.
https://heise.de/-6338569
Fake-Shops geben sich als Shops für Warenhausauflösungen aus
Derzeit stoßen wir vermehrt auf Fake-Shops, die behaupten auf Warenhausauflösungen spezialisiert zu sein oder Überbestände von Amazon oder von Kaufhäusern zu verkaufen. Damit begründen Sie auch ihre günstigen Preise für Marken-Produkte wie KitchenAid, Weber oder DeLonghi. Doch wer genau hinsieht, erkennt, dass es sich um Fake-Shops handelt.
https://www.watchlist-internet.at/news/fake-shops-geben-sich-als-shops-fuer-warenhausaufloesungen-aus/
Vidar Exploiting Social Media Platform (Mastodon)
The ASEC analysis team has recently discovered that Vidar is exploiting a social media platform named Mastodon to create C&C server addresses. Vidar is an info-stealer malware installed through spam emails and PUP, sometimes being disguised as a KMSAuto authenticator tool. It has been consistently distributed since the past, and there was a recent case of it being installed through other types of malware such as Stop ransomware.
https://asec.ahnlab.com/en/30875/
Vulnerabilities
Multiple vulnerabilities in TransmitMail
TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below.
- Directory traversal vulnerability due to the improper validation of external input values (CWE-22) - CVE-2022-22146
- Cross-site scripting (CWE-79) - CVE-2022-21193
https://jvn.jp/en/jp/JVN70100915/
Security Update - Fix available for a privilege escalation vulnerability
This notification is in regard to an elevation of privilege vulnerability (CVE-2022-23863) that was recently identified and fixed in Desktop Central and Desktop Central MSP. [...] A privilege escalation vulnerability that may allow an authenticated user to change passwords of a more privileged account.
https://pitstop.manageengine.com/portal/en/community/topic/security-update-fix-available-for-a-privilege-escalation-vulnerability
Denial of service & User Enumeration in WAGO 750-8xxx PLC
The Wago PLC models 750-8xxx are prone to multiple security vulnerabilities. These include a Denial-of-Service (DoS) of the connection to the Codesys service and the enumeration of usernames via a timing sidechannel. By exploiting these vulnerabilities, the remote usage of the Codesys services can be prevented and existing usernames on the device can be identified. [..] WAGO's customers should upgrade the firmware to the latest version available.
https://sec-consult.com/vulnerability-lab/advisory/denial-of-service-user-enumeration-in-wago-750-8xxx-plc/
Security updates for Wednesday
Security updates have been issued by CentOS (httpd), Debian (libxfont, lrzsz, nss, openjdk-17, policykit-1, webkit2gtk, and wpewebkit), Mageia (polkit), openSUSE (expat, json-c, kernel, polkit, qemu, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), Oracle (httpd:2.4, java-11-openjdk, and polkit), Red Hat (httpd:2.4, OpenShift Container Platform 3.11.570, polkit, and Red Hat OpenStack Platform 16.1 (etcd)), Scientific Linux (polkit), Slackware (polkit), SUSE (aide, expat, firefox, json-c, kernel, polkit, qemu, rust, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), and Ubuntu (policykit-1 and xorg-server).
https://lwn.net/Articles/882724/
Security Advisory - Laser Command Injection Vulnerability on Huawei Terminals
http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220126-01-df75863e-en
Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insights-is-affected-by-multiple-vulnerabilities-6/
Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-24122
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-affected-by-cve-2021-24122/
Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-41079
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-affected-by-cve-2021-41079/
Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30639
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-affected-by-cve-2021-30639/
Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Jan 2022 V1)
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-cloud-object-storage-systems-jan-2022-v1/
Security Bulletin: IBM Cloud Pak for Automationis vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-automationis-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45105-and-cve-2021-45046/
Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics - Log Analysis (CVE-2021-44228)
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-execution-vulnerability-in-apache-solr-and-logstash-shipped-with-ibm-operations-analytics-log-analysis-cve-2021-44228-4/
Security Bulletin: IBM Observability by Instana and IBM Observability with Instana - Server and Agents are vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-observability-by-instana-and-ibm-observability-with-instana-server-and-agents-are-vulnerable-to-denial-of-service-and-arbitrary-code-execution-due-to-apache-log4j-cve-2021-45/
Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305)
https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4j-ibm-db2-web-query-for-i-is-vulnerable-to-arbitrary-code-execution-cve-2021-4104-cve-2022-23302-and-cve-2022-23307-and-sql-injection-cve-2022-23305/
Security Bulletin: Tivoli Network Manager IP Edition is vulnerable to a denial of service vulnerability (CVE-2021-30468)
https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-network-manager-ip-edition-is-vulnerable-to-a-denial-of-service-vulnerability-cve-2021-30468/
Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-17527
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-affected-by-cve-2020-17527/
Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-13935
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-affected-by-cve-2020-13935/
Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30640
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-affected-by-cve-2021-30640/
Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-33037
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-affected-by-cve-2021-33037/
Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-25122 and CVE-2021-25329
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-affected-by-cve-2021-25122-and-cve-2021-25329/
GE Gas Power ToolBoxST
https://us-cert.cisa.gov/ics/advisories/icsa-22-025-01
Injection of arbitrary HTML code in Bosch Video Security Android App
https://psirt.bosch.com/security-advisories/bosch-sa-844050-bt.html