End-of-Day report
Timeframe: Montag 11-04-2022 18:00 - Dienstag 12-04-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Qbot malware switches to new Windows Installer infection vector
The Qbot botnet is now pushing malware payloads via phishing emails with password-protected ZIP archive attachments containing malicious MSI Windows Installer packages.
https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new-windows-installer-infection-vector/
Discord-Konten im Visier von Cyberkriminellen
Seit Jahresanfang sehen GDatas Sicherheitsforscher einen Anstieg an Malware, die Zugangstoken zu Discord stehlen will. Nutzer sollten Maßnahmen ergreifen.
https://heise.de/-6669765
Terrible cloud security is leaving the door open for hackers. Heres what youre doing wrong
A rise in hybrid work and a shift to cloud platforms has changed how businesses operate - but its also leaving them vulnerable to cyberattacks.
https://www.zdnet.com/article/terrible-cloud-security-is-leaving-the-door-open-for-hackers-heres-what-youre-doing-wrong/
Industroyer2: Industroyer reloaded
This ICS-capable malware targets a Ukrainian energy company
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
F5 investigating reports of NGINX zero day
UPDATE 4/12: On Monday evening, NGINX released a blog about the issue, writing that it only affects reference implementations and does not affect NGINX Open Source or NGINX Plus. The company said deployments of the LDAP reference implementation are affected by the vulnerabilities if command-line parameters are used to configure the Python daemon, if there are unused, optional configuration parameters and if LDAP authentication depends on specific group membership.
https://therecord.media/f5-investigating-reports-of-nginx-zero-day/
SystemBC Being Used by Various Attackers
SystemBC is a proxy malware that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet, this malware has steadily been used in various ransomware attacks in the past. When an attacker attempts to access a certain address with malicious intent, the system can be used as a passage if the infected system utilizes SystemBC, which acts as a Proxy Bot.
https://asec.ahnlab.com/en/33600/
Vulnerabilities
Critical LFI Vulnerability Reported in Hashnode Blogging Platform
Researchers have disclosed a previously undocumented local file inclusion (LFI) vulnerability in Hashnode, a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, servers IP address, and other network information.
https://thehackernews.com/2022/04/critical-lfi-vulnerability-reported-in.html
Security updates for Tuesday
Security updates have been issued by Debian (thunderbird and usbguard), Fedora (containerd, firefox, golang-github-containerd-imgcrypt, nss, and vim), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (libexif, mozilla-nss, mysql-connector-java, and qemu), and Ubuntu (libarchive and python-django).
https://lwn.net/Articles/891048/
Amazon RDS Vulnerability Led to Exposure of Credentials
Amazon Web Services (AWS) on Monday announced that it recently addressed a vulnerability in Amazon Relational Database Service (RDS) that could lead to the exposure of internal credentials.
https://www.securityweek.com/amazon-rds-vulnerability-led-exposure-credentials
SSA-350757 V1.0: Improper Access Control Vulnerability in TIA Portal Affecting S7-1200 and S7-1500 CPUs Web Server (Incl. Related ET200 CPUs and SIPLUS variants)
An attacker could achieve privilege escalation on the web server of certain devices configured by SIMATIC STEP 7 (TIA Portal) due to incorrect handling of the webserverâ--s user management configuration during downloading. This only affects the S7-1200 and S7-1500 CPUsâ-- (incl. related ET200 CPUs and SIPLUS variants) web server, when activated. Siemens has released updates for several affected products and recommends to update to the latest versions.
https://cert-portal.siemens.com/productcert/txt/ssa-350757.txt
SSA-392912 V1.0: Multiple Denial Of Service Vulnerabilities in SCALANCE W1700 Devices
Vulnerabilities have been identified in devices of the SCALANCE W-1700 (11ac) family that could allow an attacker to cause various denial of service conditions. Siemens has released updates for the affected products and recommends to update to the latest versions.
https://cert-portal.siemens.com/productcert/txt/ssa-392912.txt
SSA-414513 V1.0: Information Disclosure Vulnerability in Mendix
An information disclosure vulnerability in Mendix applications was discovered. The vulnerability could allow to read sensitive data. Siemens has released an update for the Mendix Applications using Mendix 9 and recommends to update to the latest version. Siemens recommends countermeasures for products where updates are not, or not yet available.
https://cert-portal.siemens.com/productcert/txt/ssa-414513.txt
SSA-446448 V1.0: Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack
The PROFINET (PNIO) stack, when integrated with the Interniche IP stack, contains a vulnerability that could allow an attacker to cause a denial of service condition on affected industrial products. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.
https://cert-portal.siemens.com/productcert/txt/ssa-446448.txt
SSA-557541 V1.0: Denial-of-Service Vulnerability in SIMATIC S7-400 CPUs
SIMATIC S7-400 CPU devices contain an input validation vulnerability that could allow an attacker to create a Denial-of-Service condition. A restart is needed to restore normal operations. Siemens has released an update for SIMATIC S7-410 V10 CPU family and SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants for both) and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not yet
https://cert-portal.siemens.com/productcert/txt/ssa-557541.txt
SSA-655554 V1.0: Multiple Vulnerabilities in SIMATIC Energy Manager before V7.3 Update 1
SIMATIC Energy Manager is affected by multiple vulnerabilities that could allow an attacker to gain local privilege escalation, local code execution or remote code execution. Siemens has released updates for the affected products and recommends to update to the latest versions.
https://cert-portal.siemens.com/productcert/txt/ssa-655554.txt
SSA-711829 V1.0: Denial of Service Vulnerability in TIA Administrator
In conjunction with the installation of the affected products listed in the table below, a vulnerability in TIA Administrator occurs that could allow an unauthenticated attacker to perform a denial of service attack. Siemens has released a first update for one of the affected products and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures.
https://cert-portal.siemens.com/productcert/txt/ssa-711829.txt
SSA-836527 V1.0: Multiple Vulnerabilities in SCALANCE X-300 Switch Family Devices
Several SCALANCE X-300 switches contain multiple vulnerabilities. An unauthenticated attacker could reboot, cause denial of service conditions and potentially impact the system by other means through heap and buffer overflow vulnerabilities. Siemens has released updates for the affected products and recommends to update to the latest versions.
https://cert-portal.siemens.com/productcert/txt/ssa-836527.txt
SSA-870917 V1.0: Improper Access Control Vulnerability in Mendix
When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field. Siemens has released updates for the affected products and recommends to update to the latest versions.
https://cert-portal.siemens.com/productcert/txt/ssa-870917.txt
SSA-998762 V1.0: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.2
Siemens Simcenter Femap versions before V2022.1.2 are affected by vulnerabilities that could be triggered when the application reads files in .NEU format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to leak information or potentially perform remote code execution in the context of the current process. Siemens recommends to update to the latest version line of Simcenter Femap and to avoid opening of untrusted files
https://cert-portal.siemens.com/productcert/txt/ssa-998762.txt
SSA-316850: Unauthenticated File Access in SICAM A8000 Devices
SICAM A8000 CP-8050 and CP-8031 devices contain vulnerabilities that could allow an attacker to access files without authentication.
https://cert-portal.siemens.com/productcert/txt/ssa-316850.txt
SAP Patchday April 2022
https://www.cert-bund.de/advisoryshort/CB-K22-0414
Citrix SD-WAN Security Bulletin for CVE-2022-27505 and CVE-2022-27506
https://support.citrix.com/article/CTX370550
Citrix StoreFront Security Bulletin for CVE-2022-27503
https://support.citrix.com/article/CTX377814
Citrix Gateway Plug-in for Windows Security Bulletin for CVE-2022-21827
https://support.citrix.com/article/CTX341455
PHOENIX CONTACT: Multiple Linux component vulnerabilities fixed in latest AXC F x152 LTS release
https://cert.vde.com/de/advisories/VDE-2022-010/
PHOENIX CONTACT: mGuard Device Manager affected by HTTP Request Smuggling of Apache Webserver
https://cert.vde.com/de/advisories/VDE-2022-014/
PHOENIX CONTACT: Multiple products affected by possible infinite loop within OpenSSL library
https://cert.vde.com/de/advisories/VDE-2022-013/
Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Framework
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-multiple-vulnerabilities-due-to-spring-framework/
Security Bulletin: IBM Sterling B2B Integrator is affected by a remote code execution in Spring Framework (CVE-2022-22965)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-is-affected-by-a-remote-code-execution-in-spring-framework-cve-2022-22965/
Security Bulletin: IBM Maximo For Civil infrastructure is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-for-civil-infrastructure-is-vulnerable-to-a-remote-code-execution-in-spring-framework-cve-2022-22965/
Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affects-rational-team-concert-rtc-and-ibm-engineering-workflow-management-ewm-4/
Security Bulletin: IBM Process Mining is vulnerable to Prototype Pollution due to json-schema CVE-2021-3918
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vulnerable-to-prototype-pollution-due-to-json-schema-cve-2021-3918/
Security Bulletin: Vulnerabilities in Dojo and dom4j libraries affect Tivoli Netcool/OMNIbus WebGUI (CVE-2020-10683, CVE-2021-23450)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-dojo-and-dom4j-libraries-affect-tivoli-netcool-omnibus-webgui-cve-2020-10683-cve-2021-23450/
Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Performance Management products (CVE-2021-23450)
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-websphere-application-server-liberty-affects-ibm-performance-management-products-cve-2021-23450/
Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-affected-by-multiple-vulnerabilities-including-a-remote-code-execution-in-spring-framework-cve-2022-22965/
Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServers that use the Box connector may be vulnerable to arbitrary code execution due to CVE-2021-23555
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-integrationservers-that-use-the-box-connector-may-be-vulnerable-to-arbitrary-code-execution-due-to-cve-2021-23555/
Security Bulletin: Multiple Vulnerabilities affect IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-db2-on-openshift-and-ibm-db2-and-db2-warehouse-on-cloud-pak-for-data/
Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to CKEditor
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-to-multiple-vulnerabilities-due-to-ckeditor/