Tageszusammenfassung - 18.10.2022

End-of-Day report

Timeframe: Montag 17-10-2022 18:00 - Dienstag 18-10-2022 18:00 Handler: Stephan Richter Co-Handler: n/a

News

CVE-2022-42889: Keep Calm and Stop Saying "4Shell"

[...] The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison. The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input. In summary, much like with Spring4Shell, there are significant caveats to practical exploitability for CVE-2022-42889. With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle.

https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/


Europol: Festgenommene Autodiebe stahlen Fahrzeuge mittels Software

In Frankreich wurden 31 Mitglieder einer Diebesbande festgenommen, die Autos mit schlüssellosen Zugangssystemen per Software gestohlen haben sollen.

https://www.golem.de/news/europol-festgenommene-autodiebe-stahlen-fahrzeuge-mittels-software-2210-169020.html


Sicherheit: Antivirensoftware blockiert Thunderbird-Updates

Statt für Sicherheit zu sorgen, blockieren Avast und AVG Thunderbird-Updates. Das soll bereits seit dreieinhalb Monaten der Fall sein.

https://www.golem.de/news/sicherheit-antivirensoftware-blockiert-thunderbird-updates-2210-169025.html


Fake-Shop Alarm: Vorsicht vor betrügerischen Solar- und Photovoltaik-Shops

Shops wie elektrox-solar.at und horizon-shot.com täuschen mit professionellem Design und gestohlenen Impressumsdaten. Lassen Sie sich von diesen Fake-Shops nicht in die Falle locken! So erkennen Sie Fake-Solar-Shops online.

https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-vor-betruegerischen-solar-und-photovoltaik-shops/


Das Salz in der Suppe: Salts als unverzichtbare Zutat bei der Passwortspeicherung für Applikationen

Die Verwendung eines Salt bei der Passwortspeicherung verhindert die Vorberechnung des Hash. Als zusätzliches Geheimnis kann ein Pepper verwendet werden.

https://www.syss.de/pentest-blog/das-salz-in-der-suppe-salts-als-unverzichtbare-zutat-bei-der-passwortspeicherung-fuer-applikationen


WordPress 6.0.3 erschienen

Gerade habe ich die Meldung erhalten, dass ein Wartungsupdate auf WordPress 6.0.3 erschienen ist. Dieses Update schließt einige Sicherheitslücken, die hier beschrieben sind.

https://www.borncity.com/blog/2022/10/18/wordpress-6-0-3-erschienen/


FLEXlm and Citrix ADM Denial of Service Vulnerability

On June 27, 2022, Citrix released an advisory for CVE-2022-27511 and CVE-2022-27512, which affect Citrix ADM (Application Delivery Management). Rapid7 investigated these issues to better understand their impact, and found that the patch is not sufficient to prevent exploitation. We also determined that the worst outcome of this vulnerability is a denial of service - the licensing server can be told to shut down (even with the patch).

https://www.rapid7.com/blog/post/2022/10/18/flexlm-and-citrix-adm-denial-of-service-vulnerability/


Python Obfuscation for Dummies, (Tue, Oct 18th)

Recently, I found several malicious Python scripts that looked the same. They all contained the same strings at the end: [...]

https://isc.sans.edu/diary/rss/29160


I-m in your hypervisor, collecting your evidence

Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It-s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT-s approach to enterprise scale incident response for the past few years has been to collect small forensic artefact packages using our internal data collection utility, -acquire-, usually deployed using the clients- preferred method of software deployment. While this method works fine in most cases, we often encounter scenarios where deploying our software is tricky or downright impossible.

https://blog.fox-it.com/2022/10/18/im-in-your-hypervisor-collecting-your-evidence/


Zoom for macOS Contains High-Risk Security Flaw

Video messaging technology powerhouse Zoom has rolled out a high-priority patch for macOS users alongside a warning that hackers could abuse the software flaw to connect to and control Zoom Apps.

https://www.securityweek.com/zoom-macos-contains-high-risk-security-flaw


Dutch Police obtain 155 decryption keys for Deadbolt ransomware victims

Police in the Netherlands said they were able to trick the group behind the Deadbolt ransomware to hand over the decryption keys for 155 victims during a police operation announced last week. In a statement, the Dutch National Police said on Friday that they conducted a targeted operation where they effectively paid a ransom in [...]

https://therecord.media/dutch-police-obtain-155-decryption-keys-for-deadbolt-ransomware-victims/


Alchimist: A new attack framework in Chinese for Mac, Linux and Windows

Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines.

http://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html


Software Patch Management Policy Best Practices

Explore the top risk-based patch management policy best practices to mitigate the growing threat of vulnerability exploits in your organization.

https://www.trendmicro.com/en_us/ciso/22/j/software-patch-management-policy-best-practices.html

Vulnerabilities

Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software

HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems.

https://thehackernews.com/2022/10/critical-rce-vulnerability-discovered.html


Security updates for Tuesday

Security updates have been issued by Debian (glibc and libksba), Fedora (dhcp and kernel), Red Hat (.NET 6.0, .NET Core 3.1, compat-expat1, kpatch-patch, and nodejs:16), Slackware (xorg), SUSE (exiv2, expat, kernel, libreoffice, python, python-numpy, squid, and virtualbox), and Ubuntu (linux-azure and zlib).

https://lwn.net/Articles/911562/


Advantech R-SeeNet

Successful exploitation of these vulnerabilities could result in an unauthorized attacker remotely deleting files on the system or allowing remote code execution.

https://us-cert.cisa.gov/ics/advisories/icsa-22-291-01


Security Bulletin: IBM WebSphere Application Server is vulnerable to SOAPAction spoofing (CVE-2022-38712)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-is-vulnerable-to-soapaction-spoofing-cve-2022-38712/


Security Bulletin: IBM Sterling B2B Integrator vulnerable to denial of service due to XStream (CVE-2021-43859)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-denial-of-service-due-to-xstream-cve-2021-43859/


Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Framework (CVE-2021-22060)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-security-bypass-due-to-spring-framework-cve-2021-22060/


Security Bulletin: IBM Sterling B2B Integrator vulnerable to remove traversal due to Apache Commons IO (CVE-2021-29425)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-remove-traversal-due-to-apache-commons-io-cve-2021-29425/


Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-add-on-to-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities/


Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analyst-workflow-app-for-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-2/


Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow - CVE-2022-35279

https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vulnerability-affect-ibm-business-automation-workflow-cve-2022-35279/


Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Eclipse Jetty

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-due-to-eclipse-jetty/