End-of-Day report
Timeframe: Freitag 28-01-2022 18:00 - Montag 31-01-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Log4Shell: Eine Bestandsaufnahme
Nach der Panik wegen der größten Sicherheitslücke aller Zeiten blieb der große Knall aus. Kommt der noch oder haben wir das Gröbste überstanden?
https://heise.de/-6342536
Unseriöse Umzugsfirmen: Vorsicht bei zu günstigen Angeboten
Sie ziehen gerade um und sind auf der Suche nach einer Umzugsfirma? Unser Tipp: Lassen Sie sich nicht von Billigangeboten täuschen! Festpreisangebote von -25 Euro pro Stunde für 2 Männer inklusive LKW- sind vollkommen unrealistisch. Dabei handelt es sich um ein Lockangebot. Bei einer Beauftragung wird Ihnen schlussendlich der 3- bis 4-fache Preis verrechnet!
https://www.watchlist-internet.at/news/unserioese-umzugsfirmen-vorsicht-bei-zu-guenstigen-angeboten/
277,000 routers exposed to Eternal Silence attacks via UPnP
A malicious campaign known as Eternal Silence is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors.
https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-eternal-silence-attacks-via-upnp/
Be careful with RPMSG files, (Mon, Jan 31st)
Not many people are aware of ".rpmsg" files. The file extension means "restricted-permission message". They are used to deliver email messages between people and implement some controls applied at the recipient side. Such permissions are, by example, the right to forward or copy the original email.
https://isc.sans.edu/diary/rss/28292
Rip Raw - A tool to analyse the memory of compromised Linux systems
It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools such as Rekall and Volatility which use a profile to perform a more structured analysis of memory.
https://github.com/cado-security/rip_raw
TrendNET AC2600 RCE via WAN
This blog provides a walkthrough of how to gain RCE on the TrendNET AC2600 (model TEW-827DRU specifically) consumer router via the WAN interface. There is currently no publicly available patch for these issues; therefore only a subset of issues disclosed in TRA-2021-54 will be discussed in this post.
https://medium.com/tenable-techblog/trendnet-ac2600-rce-via-wan-8926b29908a4
In eigener Sache: CERT.at sucht Verstärkung (Junior IT-Security Analyst:in, IT-Security Analyst:in, Python Entwickler:in)
Wir suchen derzeit:
- Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security zur Unterstützung bei den täglich anfallenden Routineaufgaben
- IT/OT-Security Generalist:in oder Spezialist:in im Bereich Windows Security, mit Praxiserfahrung
- Python Entwickler:in zur Weiterentwicklung von bestehenden Open-Source-Projekten, insbesondere IntelMQ und Tuency
Details finden sich auf unserer Jobs-Seite.
https://cert.at/de/blog/2022/1/in-eigener-sache-certat-sucht-verstarkung-junior-it-security-analystin-it-security-analystin-python-entwicklerin
Vulnerabilities
VU#119678: Samba vfs_fruit module insecurely handles extended file attributes
The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges.
https://kb.cert.org/vuls/id/119678
ABB: SECURITY - OPC Server for AC 800M - Remote Code Execution Vulnerability
ABB is aware that OPC Server for AC 800M contains a Remote Code Execution vulnerability. An authenticated remote user with low privileges who successfully exploited this vulnerability could insert and execute arbitrary code in the node running the AC800M OPC Server.
https://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/B0A9E56BA54C9C3AC12587DB00224447?OpenDocument
Lenovo Security Advisory: LEN-78122 - Intel Graphics Drivers Advisory Intel Graphics Drivers Advisory
Intel reported potential security vulnerabilities in some Intel Graphics Drivers that may allow escalation of privilege or denial of service.
https://support.lenovo.com/at/en/product_security/ps500462-intel-graphics-drivers-advisory
OpenSSL Security Advisory [28 January 2022] - BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160)
There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of theTLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.
https://openssl.org/news/secadv/20220128.txt
Security updates for Monday
Security updates have been issued by Debian (apache-log4j1.2, expat, libraw, prosody, and python-nbxmpp), Fedora (chromium, hiredis, java-11-openjdk, java-latest-openjdk, lua, rust-afterburn, rust-ammonia, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-insta, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-ron, rust-ron0.6, rust-similar, rust-similar-asserts, rust-skim, rust-thread_local, rust-tokei, vim, wpa_supplicant, and zola), Gentoo [...]
https://lwn.net/Articles/883322/
SBA-ADV-20220127-01: Shibboleth Identity Provider OIDC OP Plugin Server-Side Request Forgery
Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the `request_uri` parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services.
https://github.com/sbaresearch/advisories/commit/65856734acca54052de34b520602c351e9707b0c
IBM Security Bulletins
https://www.ibm.com/blogs/psirt/
Multiple Critical Vulnerabilities in Korenix Technology JetWave products
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-korenix-technology-jetwave-products/
K54450124: NSS vulnerability CVE-2021-43527
https://support.f5.com/csp/article/K54450124
K46015513: Polkit pkexec vulnerability CVE-2021-4034
https://support.f5.com/csp/article/K46015513
WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro
https://cert.vde.com/de/advisories/VDE-2022-002/