End-of-Day report
Timeframe: Mittwoch 30-03-2022 18:00 - Donnerstag 31-03-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
News
Spring patches leaked Spring4Shell zero-day RCE vulnerability
Spring released emergency updates to fix the Spring4Shell zero-day remote code execution vulnerability, which leaked prematurely online before a patch was released.
https://www.bleepingcomputer.com/news/security/spring-patches-leaked-spring4shell-zero-day-rce-vulnerability/
Java: Exploit für RCE-Lücke in Spring geleakt
Unter Umständen reicht ein HTTP-Request, um Spring-Anwendungen eine Webshell unterzujubeln. Die Lücke wird wohl bereits ausgenutzt.
https://www.golem.de/news/java-exploit-fuer-rce-luecke-in-spring-geleakt-2203-164292-rss.html
SpringShell Detector - searches compiled code (JAR/WAR binaries) for potentially vulnerable web apps
The SpringShell vulnerability may affect some web applications using Spring Framework, but requires a number of conditions to be exploitable. One specific condition which may be rather rare (and therefore render most applications non-exploitable in practice) is the existence of Spring endpoints which bind request parameters to a non-primitive (Java Bean) type. This tool can be used to scan compiled code and verify whether such endpoints exist in the codebase.
https://github.com/jfrog/jfrog-spring-tools
Simple local Spring vulnerability scanner
This is a simple tool that can be used to find instances of Spring vulnerable to CVE-2022-22965 ("SpringShell") in installations of Java software such as web applications. JAR and WAR archives are inspected and class files that are known to be vulnerable are flagged.
https://github.com/hillu/local-spring-vuln-scanner
Spring4Shell: Security Analysis of the latest Java RCE 0-day vulnerabilities in Spring
Weve been taking a look at the new zero-day exploit, dubbed Spring4Shell, supposedly discovered in Spring Core to determine if its a problem or not, as well as explained another RCE vulnerability found in Spring.
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities
Calendly actively abused in Microsoft credentials phishing
Phishing actors are actively abusing Calendly to kick off a clever sequence to trick targets into entering their email account credentials on the phishing page.
https://www.bleepingcomputer.com/news/security/calendly-actively-abused-in-microsoft-credentials-phishing/
Lazarus Trojanized DeFi app for delivering malware
We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.
https://securelist.com/lazarus-trojanized-defi-app/106195/
Conti-nuation: methods and techniques observed in operations post the leaks
This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks.
https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniques-observed-in-operations-post-the-leaks/
Vulnerabilities
QNAP warns severe OpenSSL bug affects most of its NAS devices
Taiwan-based network-attached storage (NAS) maker QNAP warned on Tuesday that most of its NAS devices are impacted by a high severity OpenSSL bug disclosed two weeks ago.
https://www.bleepingcomputer.com/news/security/qnap-warns-severe-openssl-bug-affects-most-of-its-nas-devices/
-VMware Spring Cloud- Java bug gives instant remote code execution - update now!
Easy unauthenticated remote code execution - PoC code already out
https://nakedsecurity.sophos.com/2022/03/30/vmware-spring-cloud-java-bug-gives-instant-remote-code-execution-update-now/
Security updates for Thursday
Security updates have been issued by Debian (libgc and pjproject), Fedora (cobbler, mingw-openjpeg2, and openjpeg2), Mageia (openvpn), openSUSE (abcm2ps, fish3, icingaweb2, kernel-firmware, nextcloud, openSUSE-build-key, python2-numpy, salt, and zlib), Slackware (vim), SUSE (kernel-firmware, opensc, python2-numpy, python3, salt, and zlib), and Ubuntu (dosbox, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.13, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, [...]
https://lwn.net/Articles/889852/
The Old Switcheroo: Hiding Code on Rockwell Automation PLCs
CVE-2022-1161 affects numerous versions of Rockwell-s Logix Controllers and has a CVSS score of 10, the highest criticality. CVE-2022-1159 affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7, high severity.
https://claroty.com/2022/03/31/blog-research-hiding-code-on-rockwell-automation-plcs/
WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization
https://jvn.jp/en/jp/JVN42543427/
Anti Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032
https://www.drupal.org/sa-contrib-2022-032
Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-web-query-for-i-is-vulnerable-to-denial-of-service-in-apache-commons-compress-cve-2021-36090-arbitrary-code-execution-in-apache-log4j-cve-2021-44832-and-cross-site-s/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in NumPy
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-numpy/
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-websphere-cast-iron-solution-app-connect-professional-9/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-xstream-4/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-10/
Security Bulletin: IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to HTTP request smuggling due to Netty (CVE-2021-43797)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-omnibus-transport-module-common-integration-library-is-vulnerable-to-http-request-smuggling-due-to-netty-cve-2021-43797/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-tensorflow-5/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-go-6/
Security Bulletin: IBM QRadar Network Security is affected by Wget vulnerability (CVE-2021-31879)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-security-is-affected-by-wget-vulnerability-cve-2021-31879/
Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Spring
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-spring-3/
Security Bulletin: IBM Security Verify Access is vulnerable to obtaining sensitive information due to improper validation of JWT tokens.
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-access-is-vulnerable-to-obtaining-sensitive-information-due-to-improper-validation-of-jwt-tokens/
CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 (Severity: HIGH)
https://security.paloaltonetworks.com/CVE-2022-0778