Tageszusammenfassung - 13.12.2022

End-of-Day report

Timeframe: Montag 12-12-2022 18:00 - Dienstag 13-12-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner


Amazon ECR Public Gallery flaw could have wiped or poisoned any image

The researcher reported the vulnerability to AWS Security on November 15, 2022, and Amazon rolled out a fix in under 24 hours. While there are no signs of this flaw being abused in the wild, threat actors could have used it in massive-scale supply chain attacks against many users.


IIS modules: The evolution of web shells and how to detect them

This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations.


A Deep Dive into BianLian Ransomware

BianLian ransomware is a Golang malware that performed targeted attacks across multiple industries in 2022. The ransomware employed anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all drives identified on the machine and deletes itself after the encryption is complete.


New Python-Based Backdoor Targeting VMware ESXi Servers

Security researchers with Juniper Networks- Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers. The targeted servers were impacted by known security defects (such as CVE-2019-5544 and CVE-2020-3992) that were likely used for initial compromise, but what caught the researchers- attention was the simplicity, persistence, and capabilities of the deployed backdoor.


What-s My Name Again? Reolink camera command injection

TL;DR Research on Reolink-s RLC-520A smart motion detection camera has turned up an authenticated command injection vulnerability. Exploiting this vulnerability with an injected system command can render the device useless.


Aktuelle Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich

Seit ca. zwei Wochen sehen sich vermehrt österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur mit DDoS Angriffen konfrontiert. Die genauen Hintergründe und Motive der Attacken sind uns zurzeit nicht bekannt. Die Täter:innen greifen hierbei zu verschiedenen Methoden und versuchen auch, sich an getroffene Gegenmaßnahmen anzupassen.


REPORT: A new trick from Facebook scammers and Sharkbot Android malware returns

A new wave of scams utilizes Facebook-s tagging feature to trick Page owners into believing they-ve violated Facebook-s terms and conditions. Several variations of the attack exist, but all lead to phishing sites designed to steal Page owner-s credentials.



Redmine vulnerable to cross-site scripting

Redmine contains a cross-site scripting vulnerability.


Announcing TYPO3 12.1.1 [12.1.2], 11.5.20 and 10.4.33 security releases

today weve released TYPO3 12.1.1, 11.5.20 LTS and 10.4.33 LTS, which are ready for you to download. All versions are security releases and contain important security fixes [unfortunately TYPO3 v12.1.1 contained a regression, which has been fixed in TYPO3 v12.1.2.]


Vulnerabilities in multiple third party TYPO3 CMS extensions

several vulnerabilities have been found in the following third party TYPO3 extensions: * "Change password for frontend users" (fe_change_pwd) * "Newsletter subscriber management" (fp_newsletter) * "Master-Quiz" (fp_masterquiz) For further information on the issues, please read the related advisories TYPO3-EXT-SA-2022-016, TYPO3-EXT-SA-2022-017 and TYPO3-EXT-SA-2022-018 which were published today


OpenSSL: X.509 Policy Constraints Double Locking (CVE-2022-3996)

Severity: Low If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup.


Patchday SAP: 14 neue Sicherheitsmeldungen im Dezember

Zum Jahresende behandelt SAP in 14 Sicherheitsnotizen Schwachstellen in der Software des Unternehmens. IT-Verantwortliche sollten die Updates rasch anwenden.


Jetzt patchen! Kritische Zero-Day-Lücke in FortiOS wird angegriffen

Fortinet meldet eine kritische Sicherheitslücke in FortiOS. Cyberkriminelle missbrauchen diese bereits für Angriffe. Updates stehen bereit.



Synopsis: VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities (CVE-2022-31702, CVE-2022-31703)



Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705)


Security updates for Tuesday

Security updates have been issued by Debian (node-tar and pngcheck), SUSE (colord, containerd, and tiff), and Ubuntu (containerd, linux-azure, linux-azure, linux-azure-5.4, linux-oem-5.17, and vim).


Security Vulnerabilities fixed in Thunderbird 102.6

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.


Security Vulnerabilities fixed in Firefox ESR 102.6

CVE-2022-46880: Use-after-free in WebGL CVE-2022-46872: Arbitrary file read from a compromised content process CVE-2022-46881: Memory corruption in WebGL CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS CVE-2022-46882: Use-after-free in WebGL CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6


Security Vulnerabilities fixed in Firefox 108

CVE-2022-46871: libusrsctp library out of date CVE-2022-46872: Arbitrary file read from a compromised content process CVE-2022-46873: Firefox did not implement the CSP directive unsafe-hashes CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS CVE-2022-46877: Fullscreen notification bypass CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 CVE-2022-46879: Memory safety bugs fixed in Firefox 108


Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518

A vulnerability has been discovered in Citrix Gateway and Citrix ADC, listed below, that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance. CVE-ID: CVE-2022-27518


Privilege Escalation Schwachstellen (UNIX Insecure File Handling) in SAP® Host Agent (saposcol)

Due to insecure file handling issues of the SAP® Host Agent, a local attacker can exploit the helper binary saposcol to escalate privileges on UNIX systems. Successful exploitation leads to full system compromise with root access.


ICS Advisory (ICSA-22-347-03): Contec CONPROSSYS HMI System (CHS)


ICS Advisory (ICSA-22-347-02): Schneider Electric APC Easy UPS Online


ICS Advisory (ICSA-22-347-01): ICONICS and Mitsubishi Electric Products


Wiesemann & Theis multiple products prone to web interface vulnerability


Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products


A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage Server


AIX is vulnerable to a denial of service due to libxml2 (CVE-2022-29824)


IBM QRadar Network Packet Capture has released 7.3.1 Patch 1, and 7.2.8 Patch 1 in response to the vulnerabilities known as Spectre and Meltdown.


Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2021-41041, CVE-2022-3676)


Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact


Multiple vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-24839, CVE-2022-37734, CVE-2022-34165)


Multiple vulnerabilities have been identified in Smack API shipped with IBM Tivoli Netcool Impact (CVE-2014-0363, CVE-2014-0364)


Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System


WebSphere Application Server is vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests which affects Content Collector for Email


Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server


Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server


Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server


Vulnerability in OAuthlib affects IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-36087)


Vulnerabilities in Redis affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-24736, CVE-2022-24735)