End-of-Day report
Timeframe: Montag 17-10-2022 18:00 - Dienstag 18-10-2022 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
CVE-2022-42889: Keep Calm and Stop Saying "4Shell"
[...] The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison. The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.
In summary, much like with Spring4Shell, there are significant caveats to practical exploitability for CVE-2022-42889. With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle.
https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/
Europol: Festgenommene Autodiebe stahlen Fahrzeuge mittels Software
In Frankreich wurden 31 Mitglieder einer Diebesbande festgenommen, die Autos mit schlüssellosen Zugangssystemen per Software gestohlen haben sollen.
https://www.golem.de/news/europol-festgenommene-autodiebe-stahlen-fahrzeuge-mittels-software-2210-169020.html
Sicherheit: Antivirensoftware blockiert Thunderbird-Updates
Statt für Sicherheit zu sorgen, blockieren Avast und AVG Thunderbird-Updates. Das soll bereits seit dreieinhalb Monaten der Fall sein.
https://www.golem.de/news/sicherheit-antivirensoftware-blockiert-thunderbird-updates-2210-169025.html
Fake-Shop Alarm: Vorsicht vor betrügerischen Solar- und Photovoltaik-Shops
Shops wie elektrox-solar.at und horizon-shot.com täuschen mit professionellem Design und gestohlenen Impressumsdaten. Lassen Sie sich von diesen Fake-Shops nicht in die Falle locken! So erkennen Sie Fake-Solar-Shops online.
https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-vor-betruegerischen-solar-und-photovoltaik-shops/
Das Salz in der Suppe: Salts als unverzichtbare Zutat bei der Passwortspeicherung für Applikationen
Die Verwendung eines Salt bei der Passwortspeicherung verhindert die Vorberechnung des Hash. Als zusätzliches Geheimnis kann ein Pepper verwendet werden.
https://www.syss.de/pentest-blog/das-salz-in-der-suppe-salts-als-unverzichtbare-zutat-bei-der-passwortspeicherung-fuer-applikationen
WordPress 6.0.3 erschienen
Gerade habe ich die Meldung erhalten, dass ein Wartungsupdate auf WordPress 6.0.3 erschienen ist. Dieses Update schließt einige Sicherheitslücken, die hier beschrieben sind.
https://www.borncity.com/blog/2022/10/18/wordpress-6-0-3-erschienen/
FLEXlm and Citrix ADM Denial of Service Vulnerability
On June 27, 2022, Citrix released an advisory for CVE-2022-27511 and CVE-2022-27512, which affect Citrix ADM (Application Delivery Management).
Rapid7 investigated these issues to better understand their impact, and found that the patch is not sufficient to prevent exploitation. We also determined that the worst outcome of this vulnerability is a denial of service - the licensing server can be told to shut down (even with the patch).
https://www.rapid7.com/blog/post/2022/10/18/flexlm-and-citrix-adm-denial-of-service-vulnerability/
Python Obfuscation for Dummies, (Tue, Oct 18th)
Recently, I found several malicious Python scripts that looked the same. They all contained the same strings at the end: [...]
https://isc.sans.edu/diary/rss/29160
I-m in your hypervisor, collecting your evidence
Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It-s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT-s approach to enterprise scale incident response for the past few years has been to collect small forensic artefact packages using our internal data collection utility, -acquire-, usually deployed using the clients- preferred method of software deployment. While this method works fine in most cases, we often encounter scenarios where deploying our software is tricky or downright impossible.
https://blog.fox-it.com/2022/10/18/im-in-your-hypervisor-collecting-your-evidence/
Zoom for macOS Contains High-Risk Security Flaw
Video messaging technology powerhouse Zoom has rolled out a high-priority patch for macOS users alongside a warning that hackers could abuse the software flaw to connect to and control Zoom Apps.
https://www.securityweek.com/zoom-macos-contains-high-risk-security-flaw
Dutch Police obtain 155 decryption keys for Deadbolt ransomware victims
Police in the Netherlands said they were able to trick the group behind the Deadbolt ransomware to hand over the decryption keys for 155 victims during a police operation announced last week. In a statement, the Dutch National Police said on Friday that they conducted a targeted operation where they effectively paid a ransom in [...]
https://therecord.media/dutch-police-obtain-155-decryption-keys-for-deadbolt-ransomware-victims/
Alchimist: A new attack framework in Chinese for Mac, Linux and Windows
Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines.
http://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html
Software Patch Management Policy Best Practices
Explore the top risk-based patch management policy best practices to mitigate the growing threat of vulnerability exploits in your organization.
https://www.trendmicro.com/en_us/ciso/22/j/software-patch-management-policy-best-practices.html
Vulnerabilities
Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software
HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems.
https://thehackernews.com/2022/10/critical-rce-vulnerability-discovered.html
Security updates for Tuesday
Security updates have been issued by Debian (glibc and libksba), Fedora (dhcp and kernel), Red Hat (.NET 6.0, .NET Core 3.1, compat-expat1, kpatch-patch, and nodejs:16), Slackware (xorg), SUSE (exiv2, expat, kernel, libreoffice, python, python-numpy, squid, and virtualbox), and Ubuntu (linux-azure and zlib).
https://lwn.net/Articles/911562/
Advantech R-SeeNet
Successful exploitation of these vulnerabilities could result in an unauthorized attacker remotely deleting files on the system or allowing remote code execution.
https://us-cert.cisa.gov/ics/advisories/icsa-22-291-01
Security Bulletin: IBM WebSphere Application Server is vulnerable to SOAPAction spoofing (CVE-2022-38712)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-is-vulnerable-to-soapaction-spoofing-cve-2022-38712/
Security Bulletin: IBM Sterling B2B Integrator vulnerable to denial of service due to XStream (CVE-2021-43859)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-denial-of-service-due-to-xstream-cve-2021-43859/
Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Framework (CVE-2021-22060)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-security-bypass-due-to-spring-framework-cve-2021-22060/
Security Bulletin: IBM Sterling B2B Integrator vulnerable to remove traversal due to Apache Commons IO (CVE-2021-29425)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-remove-traversal-due-to-apache-commons-io-cve-2021-29425/
Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-add-on-to-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities/
Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analyst-workflow-app-for-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-2/
Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow - CVE-2022-35279
https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-affect-ibm-business-automation-workflow-cve-2022-35279/
Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Eclipse Jetty
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-due-to-eclipse-jetty/