End-of-Day report
Timeframe: Montag 12-12-2022 18:00 - Dienstag 13-12-2022 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
News
Amazon ECR Public Gallery flaw could have wiped or poisoned any image
The researcher reported the vulnerability to AWS Security on November 15, 2022, and Amazon rolled out a fix in under 24 hours.
While there are no signs of this flaw being abused in the wild, threat actors could have used it in massive-scale supply chain attacks against many users.
https://www.bleepingcomputer.com/news/security/amazon-ecr-public-gallery-flaw-could-have-wiped-or-poisoned-any-image/
IIS modules: The evolution of web shells and how to detect them
This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations.
https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-evolution-of-web-shells-and-how-to-detect-them/
A Deep Dive into BianLian Ransomware
BianLian ransomware is a Golang malware that performed targeted attacks across multiple industries in 2022. The ransomware employed anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all drives identified on the machine and deletes itself after the encryption is complete.
https://resources.securityscorecard.com/research/bian-lian-deep-dive
New Python-Based Backdoor Targeting VMware ESXi Servers
Security researchers with Juniper Networks- Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers. The targeted servers were impacted by known security defects (such as CVE-2019-5544 and CVE-2020-3992) that were likely used for initial compromise, but what caught the researchers- attention was the simplicity, persistence, and capabilities of the deployed backdoor.
https://www.securityweek.com/new-python-based-backdoor-targeting-vmware-esxi-servers
What-s My Name Again? Reolink camera command injection
TL;DR Research on Reolink-s RLC-520A smart motion detection camera has turned up an authenticated command injection vulnerability. Exploiting this vulnerability with an injected system command can render the device useless.
https://www.pentestpartners.com/security-blog/whats-my-name-again-reolink-camera-command-injection/
Aktuelle Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich
Seit ca. zwei Wochen sehen sich vermehrt österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur mit DDoS Angriffen konfrontiert. Die genauen Hintergründe und Motive der Attacken sind uns zurzeit nicht bekannt. Die Täter:innen greifen hierbei zu verschiedenen Methoden und versuchen auch, sich an getroffene Gegenmaßnahmen anzupassen.
https://cert.at/de/aktuelles/2022/12/aktuelle-welle-an-ddos-angriffen-auf-staatsnahe-und-kritische-infrastruktur-in-osterreich
REPORT: A new trick from Facebook scammers and Sharkbot Android malware returns
A new wave of scams utilizes Facebook-s tagging feature to trick Page owners into believing they-ve violated Facebook-s terms and conditions. Several variations of the attack exist, but all lead to phishing sites designed to steal Page owner-s credentials.
https://blog.f-secure.com/f-alert-report-a-new-trick-from-facebook-scammers-and-sharkbot-android-malware-returns/
Vulnerabilities
Redmine vulnerable to cross-site scripting
Redmine contains a cross-site scripting vulnerability.
https://jvn.jp/en/jp/JVN60211811/
Announcing TYPO3 12.1.1 [12.1.2], 11.5.20 and 10.4.33 security releases
today weve released TYPO3 12.1.1, 11.5.20 LTS and 10.4.33 LTS, which are ready for you to download. All versions are security releases and contain important security fixes [unfortunately TYPO3 v12.1.1 contained a regression, which has been fixed in TYPO3 v12.1.2.]
https://lists.typo3.org/pipermail/typo3-announce/2022/000523.html
Vulnerabilities in multiple third party TYPO3 CMS extensions
several vulnerabilities have been found in the following third party TYPO3 extensions:
* "Change password for frontend users" (fe_change_pwd)
* "Newsletter subscriber management" (fp_newsletter)
* "Master-Quiz" (fp_masterquiz)
For further information on the issues, please read the related advisories TYPO3-EXT-SA-2022-016, TYPO3-EXT-SA-2022-017 and TYPO3-EXT-SA-2022-018 which were published today
https://lists.typo3.org/pipermail/typo3-announce/2022/000524.html
OpenSSL: X.509 Policy Constraints Double Locking (CVE-2022-3996)
Severity: Low
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup.
https://www.openssl.org/news/secadv/20221213.txt
Patchday SAP: 14 neue Sicherheitsmeldungen im Dezember
Zum Jahresende behandelt SAP in 14 Sicherheitsnotizen Schwachstellen in der Software des Unternehmens. IT-Verantwortliche sollten die Updates rasch anwenden.
https://heise.de/-7392718
Jetzt patchen! Kritische Zero-Day-Lücke in FortiOS wird angegriffen
Fortinet meldet eine kritische Sicherheitslücke in FortiOS. Cyberkriminelle missbrauchen diese bereits für Angriffe. Updates stehen bereit.
https://heise.de/-7392455
VMSA-2022-0031
Synopsis: VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities (CVE-2022-31702, CVE-2022-31703)
https://www.vmware.com/security/advisories/VMSA-2022-0031.html
VMSA-2022-0033
Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705)
https://www.vmware.com/security/advisories/VMSA-2022-0033.html
Security updates for Tuesday
Security updates have been issued by Debian (node-tar and pngcheck), SUSE (colord, containerd, and tiff), and Ubuntu (containerd, linux-azure, linux-azure, linux-azure-5.4, linux-oem-5.17, and vim).
https://lwn.net/Articles/917749/
Security Vulnerabilities fixed in Thunderbird 102.6
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
Security Vulnerabilities fixed in Firefox ESR 102.6
CVE-2022-46880: Use-after-free in WebGL
CVE-2022-46872: Arbitrary file read from a compromised content process
CVE-2022-46881: Memory corruption in WebGL
CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS
CVE-2022-46882: Use-after-free in WebGL
CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
Security Vulnerabilities fixed in Firefox 108
CVE-2022-46871: libusrsctp library out of date
CVE-2022-46872: Arbitrary file read from a compromised content process
CVE-2022-46873: Firefox did not implement the CSP directive unsafe-hashes
CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS
CVE-2022-46877: Fullscreen notification bypass
CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
CVE-2022-46879: Memory safety bugs fixed in Firefox 108
https://www.mozilla.org/en-US/security/advisories/mfsa2022-51/
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518
A vulnerability has been discovered in Citrix Gateway and Citrix ADC, listed below, that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance.
CVE-ID: CVE-2022-27518
https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227518
Privilege Escalation Schwachstellen (UNIX Insecure File Handling) in SAP® Host Agent (saposcol)
Due to insecure file handling issues of the SAP® Host Agent, a local attacker can exploit the helper binary saposcol to escalate privileges on UNIX systems. Successful exploitation leads to full system compromise with root access.
https://sec-consult.com/de/vulnerability-lab/advisory/privilege-escalation-schwachstelle-unix-insecure-file-handling-sap-saposcol/
ICS Advisory (ICSA-22-347-03): Contec CONPROSSYS HMI System (CHS)
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03
ICS Advisory (ICSA-22-347-02): Schneider Electric APC Easy UPS Online
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-02
ICS Advisory (ICSA-22-347-01): ICONICS and Mitsubishi Electric Products
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-01
Wiesemann & Theis multiple products prone to web interface vulnerability
https://cert.vde.com/de/advisories/VDE-2022-057/
Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products
https://cert.vde.com/de/advisories/VDE-2022-038/
A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage Server
https://www.ibm.com/support/pages/node/6847315
AIX is vulnerable to a denial of service due to libxml2 (CVE-2022-29824)
https://www.ibm.com/support/pages/node/6619729
IBM QRadar Network Packet Capture has released 7.3.1 Patch 1, and 7.2.8 Patch 1 in response to the vulnerabilities known as Spectre and Meltdown.
https://www.ibm.com/support/pages/node/571419
Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2021-41041, CVE-2022-3676)
https://www.ibm.com/support/pages/node/6847341
Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact
https://www.ibm.com/support/pages/node/6847351
Multiple vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-24839, CVE-2022-37734, CVE-2022-34165)
https://www.ibm.com/support/pages/node/6847349
Multiple vulnerabilities have been identified in Smack API shipped with IBM Tivoli Netcool Impact (CVE-2014-0363, CVE-2014-0364)
https://www.ibm.com/support/pages/node/6847337
Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System
https://www.ibm.com/support/pages/node/6847563
WebSphere Application Server is vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests which affects Content Collector for Email
https://www.ibm.com/support/pages/node/6847593
Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server
https://www.ibm.com/support/pages/node/6847591
Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server
https://www.ibm.com/support/pages/node/6847587
Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server
https://www.ibm.com/support/pages/node/6847595
Vulnerability in OAuthlib affects IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-36087)
https://www.ibm.com/support/pages/node/6842215
Vulnerabilities in Redis affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-24736, CVE-2022-24735)
https://www.ibm.com/support/pages/node/6842235