End-of-Day report
Timeframe: Montag 25-07-2022 18:00 - Dienstag 26-07-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Betrugsmasche nimmt auf Willhaben zu: Konsumentenschützer warnen
Wer im auf Handelsplattformen wie Willhaben unterwegs ist, sollte vorsichtig mit seinen persönlichen Daten umgehen.
https://futurezone.at/digital-life/phishing-willhaben-betrug-opfer-sicherheit-geld-ueberweisung-daten/402087559
Sicherheit: Forscher greifen Smartphones über Ladebuchse an
Ghost Touches sind erzwungene Berührungen auf Touchscreens von Smartphones und Tablets - Forscher konnten diese über ein Ladekabel auslösen.
https://www.golem.de/news/sicherheit-forscher-greifen-smartphones-ueber-ladebuchse-an-2207-167164.html
How is Your macOS Security Posture?, (Tue, Jul 26th)
Many people who use Apple devices daily often have a wrong sense of security. A few years ago, Apple devices were left aside of many security issues that Windows users faced for a long time. Also, based on a BSD layer, the OS wasn' a juicy target for attackers. Today, the landscape changed: Apple devices, especially Macbooks, are used not only by "creators" (musicians, designers, ...) and geeks but by many interesting profiles like managers and security researchers.
https://isc.sans.edu/diary/rss/28882
Month of PowerShell - PowerShell Version of Keeper (Save Useful Command Lines)
In this article we build a useful PowerShell function to save useful commands for later reference: Save-Keeper!
https://www.sans.org/blog/powershell-version-keeper?msc=rss
How to analyze Linux malware - A case study of Symbiote
Symbiote is a Linux threat that hooks libc and libpcap functions to hide the malicious activity. The malware hides processes and files that are used during the activity by implementing two functions called hidden_proc and hidden_file. It can also hide network connections based on a list of ports and by hijacking any injected packet filtering bytecode. The malware-s purpose is to steal credentials from the SSH and SCP processes by hooking the libc read function.
https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/
CVE-2022-31813: Forwarding addresses is hard
A few weeks ago, version 2.4.54 of Apache HTTPD server was released. It includes a fix for CVE-2022-31813, a vulnerability we identified in mod_proxy that could affect unsuspecting applications served by an Apache reverse proxy. Lets see why it is rated as low in the software changelog and why it still matters.
TL;DR: when in doubt, patch!
https://www.synacktiv.com/publications/cve-2022-31813-forwarding-addresses-is-hard.html
Brennholz, Pellets, Photovoltaik & Co: Vorsicht vor Fake-Shops
Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden. Wechselrichter, Solaranlagen und Stromspeicher - all jene Produkte, die am Markt momentan schwer zu erhalten sind, sind bei solanex.de und solarnetz.at nicht nur lagernd, sondern teils weit unter Marktpreis zu haben. Kaufen Sie hier nichts, denn die Vorkassezahlungen sind verloren!
https://www.watchlist-internet.at/news/brennholz-pellets-photovoltaik-co-vorsicht-vor-fake-shops/
Ransomware: 1.5 million people have got their files back without paying the gangs. Heres how
No More Ransom project now offers free tools for decrypting 165 families of ransomware as the fight against extortion groups continues.
https://www.zdnet.com/article/ransomware-1-5-million-people-have-got-their-files-back-without-paying-the-gangs-heres-how/
Vulnerabilities
Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores
The issue in question is an SQL injection vulnerability affecting versions 1.6.0.10 or greater, and is being tracked as CVE-2022-36408.
...
The PrestaShop maintainers also said they found a zero-day flaw in its service that they said has been addressed in version 1.7.8.7, although they cautioned that "we cannot be sure that it's the only way for them to perform the attack."
https://thehackernews.com/2022/07/hackers-exploit-prestashop-zero-day-to.html
Critical FileWave MDM Flaws Open Organization-Managed Devices to Remote Hackers
FileWaves mobile device management (MDM) system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it."The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices," Claroty security researcher Noam Moshe said in a Monday report.
https://thehackernews.com/2022/07/critical-filewave-mdm-flaws-open.html
Xen XSA-408 - insufficient TLB flush for x86 PV guests in shadow mode
For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary.
https://xenbits.xen.org/xsa/advisory-408.html
Weitere Lücken in Videokonferenz-Hardware Meeting Owl geschlossen
Owl Labs hat seine Geräte mit zusätzlichen Sicherheitsupdates gegen mögliche Attacken abgesichert.
https://heise.de/-7189904
Security updates for Tuesday
Security updates have been issued by Debian (spip), Mageia (libtiff and logrotate), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (gpg2, logrotate, and phpPgAdmin), and Ubuntu (python-bottle).
https://lwn.net/Articles/902547/
LibreOffice: Mehrere Schwachstellen
Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen.
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0821
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27509
A vulnerability has been discovered in Citrix ADC and Citrix Gateway which enables an attacker to create a specially crafted URL that redirects to a malicious website.
Pre-conditions:
- Appliance must be configured as a VPN (Gateway) or AAA virtual server
- A victim user must use an attacker-crafted link
https://support.citrix.com/article/CTX457836/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202227509
Security Bulletin: Vulnerability in libcURL affect IBM Rational ClearCase ( CVE-2022-27778, CVE-2022-27779, CVE-2022-27780, CVE-2022-27782, CVE-2022-30115, CVE-2022-27774 )
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libcurl-affect-ibm-rational-clearcase-cve-2022-27778-cve-2022-27779-cve-2022-27780-cve-2022-27782-cve-2022-30115-cve-2022-27774/
Security Bulletin: IBM Security Verify Information Queue web UI is vulnerable to cross-site request forgery (CVE-2022-35286)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-information-queue-web-ui-is-vulnerable-to-cross-site-request-forgery-cve-2022-35286/
Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework and Apache Commons(CVE-2022-22970,CVE-2022-22971,CVE-2022-33980)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-common-licensing-is-vulnerable-by-a-remote-code-attack-in-spring-framework-and-apache-commonscve-2022-22970cve-2022-22971cve-2022-33980/
Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-22412)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-is-vulnerable-to-insufficiently-protected-access-tokens-cve-2022-22412/
Security Bulletin: A security vulnerability in Node.js nconf affects IBM Cloud Automation Manager
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-nconf-affects-ibm-cloud-automation-manager/
Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-and-ibm-integration-bus-are-vulnerable-to-arbitrary-code-execution-due-to-node-js-minimist-module-cve-2021-44906/
Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-affects-ibm-cloud-automation-manager-3/
Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2021-45960, CVE-2021-46143 )
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-expat-component-shipped-with-ibm-rational-clearcase-cve-2021-45960-cve-2021-46143/
Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-23852, CVE-2022-23990, CVE-2022-25235, CVE-2022-25315 )
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-expat-component-shipped-with-ibm-rational-clearcase-cve-2022-23852-cve-2022-23990-cve-2022-25235-cve-2022-25315/
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-http-server-used-by-ibm-websphere-application-server-3/
Security Bulletin: WebSphere network security vulnerability in IBM Content Foundation on Cloud
https://www.ibm.com/blogs/psirt/security-bulletin-websphere-network-security-vulnerability-in-ibm-content-foundation-on-cloud-2/
Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-affects-ibm-cloud-automation-manager-2/
Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Slowloris HTTP DOS attack (CVE-2022-35639)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-engagement-manager-is-vulnerable-to-slowloris-http-dos-attack-cve-2022-35639/
Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-go-affects-ibm-cloud-automation-manager-8/
Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-go-affects-ibm-cloud-automation-manager-7/
Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827 )
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-expat-component-shipped-with-ibm-rational-clearcase-cve-2022-22822-cve-2022-22823-cve-2022-22824-cve-2022-22825-cve-2022-22826-cve-2022-22827/
Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-node-js-node-forge-affects-ibm-cloud-automation-manager/
Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2022-1292, CVE-2022-0778)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-rational-clearcase-cve-2022-1292-cve-2022-0778/
Security Bulletin: IBM Cloud Pak for Security is vulnerable to Using Components with Known Vulnerabilities
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-security-is-vulnerable-to-using-components-with-known-vulnerabilities/
Security Bulletin: Java SE as used by IBM Cloud Pak For Security is vulnerable to information disclosure and denial of service.
https://www.ibm.com/blogs/psirt/security-bulletin-java-se-as-used-by-ibm-cloud-pak-for-security-is-vulnerable-to-information-disclosure-and-denial-of-service/
Security Bulletin: IBM Robotic Process Automation is vulnerable to arbitrary code execution due to async (CVE-2021-43138)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-automation-is-vulnerable-to-arbitrary-code-execution-due-to-async-cve-2021-43138/
Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-in-go-affects-ibm-cloud-automation-manager-6/
Security Bulletin: IBM Sterling Control Center vulnerable to arbitrary file upload and sensitive information exposure due to IBM Cognos Analytics (CVE-2021-38945, CVE-2021-29768)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-center-vulnerable-to-arbitrary-file-upload-and-sensitive-information-exposure-due-to-ibm-cognos-analytics-cve-2021-38945-cve-2021-29768/
Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining and could allow a local attacker to execute arbitrary code on the system (CVE-2022-22965)
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-spring-framework-affects-ibm-process-mining-and-could-allow-a-local-attacker-to-execute-arbitrary-code-on-the-system-cve-2022-22965/
Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearCase ( CVE-2021-35578, CVE-2021-35603, CVE-2021-35550, CVE-2021-35561, CVE-2022-21299 )
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-ibm-java-runtime-affect-ibm-rational-clearcase-cve-2021-35578-cve-2021-35603-cve-2021-35550-cve-2021-35561-cve-2022-21299/