End-of-Day report
Timeframe: Montag 11-07-2022 18:00 - Dienstag 12-07-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
IBM-Middleware: Schwachstelle in MQ kann zu Rechtausweitung führen
Mehrere Sicherheitslücken in IBM MQ ermöglichen Angreifern, ihre Rechte an betroffenen Systemen auszuweiten oder diese lahmzulegen. Updates stehen bereit.
https://heise.de/-7169603
Wurm-Infektion: Malware-Kampagne Raspberry Robin befällt Windows und Qnap-NAS
IT-Forscher von Cybereason haben einen Netzwerkwurm entdeckt, der sich auf Windows- und Qnap-Geräten verbreitet. Sie nennen die Kampagne Raspberry Robin.
https://heise.de/-7170350
Month of PowerShell: Threat Hunting with PowerShell Differential Analysis
One of the most powerful techniques for threat hunting on Windows: differential analysis.
https://www.sans.org/blog/threat-hunting-with-powershell-differential-analysis/
CVE-2022-29593- Authentication Bypass by Capture Replay (Dingtian-DT-R002)
This blog post describes an authentication bypass within one such device, that allows an attacker with access to the IP network the ability to capture and subsequently replay discrete device commands, which allows for the switching on and off the physical relays on the device.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-29593-authentication-bypass-by-capture-replay-dingtian-dt-r002/
Exploiting Authentication in AWS IAM Authenticator for Kubernetes
During my research on the AWS IAM Authenticator component, I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities.
https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator
Scanning for security.txt files
RFC 9116 was written by E. Foudil and Y. Shafranovich and left draft status in April 2022. This RFC formally defines the unofficial security.txt file that has been an unofficial standard for many years, initially created back in 2017 and documented at https://securitytxt.org/.
https://www.pentestpartners.com/security-blog/scanning-for-security-txt-files/
ChromeLoader: New Stubborn Malware Campaign
A malicious browser extension is the payload of the ChromeLoader malware family, serving as adware and an infostealer, leaking users- search queries.
https://unit42.paloaltonetworks.com/chromeloader-malware/
Is exploiting a null pointer deref for LPE just a pipe dream?
A lot of blog posts I have read go over interesting vulnerabilities and exploits but do not typically share the process behind discovery. I want to show how sometimes just manually poking around can quickly uncover vulnerabilities you might miss with other approaches to vulnerability discovery.
https://www.thezdi.com/blog/2022/6/1/is-exploiting-a-null-pointer-deref-for-lpe-just-a-pipe-dream
Vulnerabilities
ZDI-22-962: Trend Micro Maximum Security Out-Of-Bounds Read Information Disclosure Vulnerability
This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
http://www.zerodayinitiative.com/advisories/ZDI-22-962/
Siemens ProductCERT published 19 and updated 15 advisories/bulletins
Opcenter Quality, SINAMICS PERFECT HARMONY GH180 Drives, EN100 Ethernet Module, RUGGEDCOM ROS, SIMATIC WinCC, Teamcenter Visualization, JT2Go, Industrial Products, TIA Administrator, Mendix Excel Importer Module, RUGGEDCOM ROX, SIMATIC eaSie Core Package, SCALANCE X Switches, SIMATIC CP Devices, Mendix Applications, SICAM A8000 Devicesm Simcenter Femap, PROFINET Stack, PADS Standard/Plus Viewer, SIMATIC S7-1500, Mendix, SIMATIC MV500 Devices, OPC Foundation Local Discovery Server, OPC-UA, Parasolid, SICAM GridEdge.
https://new.siemens.com/global/en/products/services/cert.html?d=2022-07#SecurityPublications
SAP-Patchday: 20 neue Sicherheitslücken im Juli abgedichtet
Mit den Updates zum Juli-Patchday schließt SAP 20 neue Sicherheitslücken. Zudem aktualisiert der Hersteller drei ältere Security-Bulletins.
https://heise.de/-7170698
Security updates for Tuesday
Security updates have been issued by Debian (chromium), Mageia (openssl and webkit2), Slackware (seamonkey), SUSE (crash, curl, freerdp, ignition, libnbd, and python3), and Ubuntu (dovecot and python-ldap).
https://lwn.net/Articles/900855/
ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities
Industrial giants Siemens and Schneider Electric have released their Patch Tuesday security advisories for July 2022, with a total of 13 advisories describing 59 vulnerabilities.
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-59-vulnerabilities
TYPO3-EXT-SA-2022-014: SQL Injection in extension "LUX - TYPO3 Marketing Automation" (lux)
https://typo3.org/security/advisory/typo3-ext-sa-2022-014
MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0641
Symantec Advanced Secure Gateway: Schwachstelle ermöglicht Manipulation und Offenlegung von Informationen
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0638
Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-24921)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-golang-language-affect-ibm-event-streams-cve-2022-24921/
Security Bulletin: IBM Security SiteProtector System is affected by multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotector-system-is-affected-by-multiple-vulnerabilities/
Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23305)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-has-addressed-apache-log4j-vulnerability-cve-2022-23305/
Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-governance-is-vulnerable-to-multiple-security-issues-due-to-node-js/
Security Bulletin: IBM QRadar SIEM is vulnerable to denial of service attack due to CVE-2021-39041
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-denial-of-service-attack-due-to-cve-2021-39041/
Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to Node.js ejs module (CVE-2022-29078)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vulnerable-to-arbitrary-code-execution-due-to-node-js-ejs-module-cve-2022-29078/
Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-server-is-affected-by-openssl-vulnerability-cve-2022-0778-2/
Security Bulletin: IBM Security Verify Information Queue uses Apache LDAP API with a known vulnerability (CVE-2018-1337)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-information-queue-uses-apache-ldap-api-with-a-known-vulnerability-cve-2018-1337/
Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-modernization-engine-for-lifecycle-integration-is-vulnerable-to-multiple-vulnerabilities/
Security Bulletin: A security vulnerability has been identified in Postgresql shipped with IBM Tivoli Netcool Impact (CVE-2022-26520, CVE-2022-21724, WS-2022-0080)
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-postgresql-shipped-with-ibm-tivoli-netcool-impact-cve-2022-26520-cve-2022-21724-ws-2022-0080/
Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-29526)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-golang-language-affect-ibm-event-streams-cve-2022-29526/
Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application-server-liberty-is-vulnerable-to-identity-spoofing-cve-2022-22476-2/
Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-server-is-affected-by-openssl-vulnerability-cve-2021-4160-2/
Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23302)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson-has-addressed-apache-log4j-vulnerability-cve-2022-23302/