Tageszusammenfassung - 21.09.2022

End-of-Day report

Timeframe: Dienstag 20-09-2022 18:00 - Mittwoch 21-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Angreifer könnten eigenen Code im Kontext von Thunderbird und Firefox ausführen

Wichtige Sicherheitsupdates schließen mehrere Lücken im E-Mail-Client Thunderbird und den Webbrowsern Firefox und Firefox ESR.

https://heise.de/-7270944


Hinter Massenmails zu Paketzustellung und Lagergebühr steckt Betrug!

Aktuell erhalten unzählige Menschen eine personalisierte E-Mail zu einem Paket mit dem Betreff -Label/abgerissen/Zustellung-. Wegen unlesbarer Adresse sollen Sie einen Chat öffnen und Daten ergänzen, um eine Lagergebühr über 29,99 Euro zu vermeiden. Folgen Sie dem Link nicht, geben Sie keine Daten bekannt und bezahlen Sie nichts. Es handelt sich um eine Abo-Falle!

https://www.watchlist-internet.at/news/hinter-massenmails-zu-paketzustellung-und-lagergebuehr-steckt-betrug/


Windows 11 22H2 adds kernel exploit protection to security baseline

Microsoft has released the final version of security configuration baseline settings for Windows 11, version 22H2, downloadable today using the Microsoft Security Compliance Toolkit.

https://www.bleepingcomputer.com/news/microsoft/windows-11-22h2-adds-kernel-exploit-protection-to-security-baseline/


Identifying file manipulation in system files

Sometimes people send files to us that seem to be legitimate Microsoft system files at first glance, yet closer inspection reveals, that they have in fact been modified. Are those manipulations always malicious? And how can file manipulations be identified? Here are seven different ways to do that.

https://www.gdatasoftware.com/blog/2022/09/37511-detecting-file-manipulation-in-system-files


New Windows 11 security features are designed for hybrid work

With Windows 11, you can protect your valuable data and enable secure hybrid work with the latest advanced security. Were proud to announce the new security features you heard about this spring are now available.

https://www.microsoft.com/security/blog/2022/09/20/new-windows-11-security-features-are-designed-for-hybrid-work/


Defense-in-Depth Updates for Azure Identity SDK and Azure Key Vault SDK plus Best Practice Implementation Guidance

Today, Microsoft released a new version of the Azure Key Vault Software Development Kit (SDK) and Azure Identity SDK that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and services that allow externally controlled input into the Azure Key Vault client URI for processing.

https://msrc-blog.microsoft.com/2022/09/20/defense-in-depth-updates-for-azure-identity-sdk-and-azure-key-vault-sdk-plus-best-practice-implementation-guidance/


Exploiting a Seagate service to create a SYSTEM shell (CVE-2022-40286)

This post covers a slightly different topic than my usual content: application vulnerability discovery and exploit development.

https://www.x86matthew.com/view_post?id=windows_seagate_lpe


Open Source Tool to Collect Volatile Data for Incident Response

Varc collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident.

https://github.com/cado-security/varc


How we Abused Repository Webhooks to Access Internal CI Systems at Scale

As adoption of CI systems and processes becomes more prevalent, organizations opt for a CI/CD architecture which combines SaaS-based source control management systems (like GitHub or GitLab) with an internal, self-hosted CI solution (e.g. Jenkins, TeamCity). [...] To allow the webhook requests to access the internally-hosted CI system, the SaaS-based SCM vendors provide IP ranges from which their webhooks requests arrive, so these ranges can be allowed in the organization-s firewall. In this blog post, we-ll dive into the potential security pitfalls of this control, and explain why it provides organizations with a false sense of security.

https://www.cidersecurity.io/blog/research/how-we-abused-repository-webhooks-to-access-internal-ci-systems-at-scale/


Securing Developer Tools: OneDev Remote Code Execution

OneDev is a self-hosted Git server that comes with a lot of development-oriented features such as CI/CD, code search, and static analysis integration. With almost 10,000 stars on GitHub, it is gaining popularity and becoming an open-source and low-maintenance alternative to GitHub, GitLab, and Bitbucket. [...] In this article, we describe the vulnerabilities we found in OneDev that could be used by attackers to take over vulnerable instances.

https://blog.sonarsource.com/onedev-remote-code-execution/


Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers

Security researchers with Recorded Future have identified a total of 569 ecommerce domains infected with skimmers, 314 of which have been infected with web skimmers leveraging Google Tag Manager (GTM) containers.

https://www.securityweek.com/hundreds-ecommerce-domains-infected-google-tag-manager-based-skimmers


Penetration testing is in the eye of the beholder

"Beauty is in the eye of the beholder." A famous phrase known to all indicates that our perceptions influence our definitions. The same can be said about penetration testing. Often when clients approach us for what they believe to be a penetration test, their definition and needs do not necessarily meet the accepted approach of those within the security field.

https://cybersecurity.att.com/blogs/security-essentials/penetration-testing-is-in-the-eye-of-the-beholder


Authentication methods: choosing the right type

Recommended authentication models for organisations looking to move beyond passwords.

https://www.ncsc.gov.uk/guidance/authentication-methods-choosing-the-right-type


Native function and Assembly Code Invocation

For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. While in some cases it is just possible to understand the function logic and reimplement it in a higher-level language, this is not always feasible, and [...]

https://research.checkpoint.com/2022/native-function-and-assembly-code-invocation/


Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware

Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining.

https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnerability-cve-2022-26134-abused-for-cryptocurrency-mining-other-malware.html

Vulnerabilities

Security updates for Wednesday

Security updates have been issued by Fedora (libconfuse, moodle, rizin, and thunderbird), Oracle (ELS kernel, gnupg2, ruby, and webkit2gtk3), Red Hat (booth, dbus-broker, gnupg2, kernel, kernel-rt, kpatch-patch, mysql, nodejs, nodejs-nodemon, ruby, and webkit2gtk3), Slackware (expat and mozilla), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container and vsftpd), and Ubuntu (bind9, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-kvm, linux-lowlatency, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, lnux-hwe, inux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-hwe-5.15, linux-lowlatency-hwe-5.15, and mako).

https://lwn.net/Articles/908893/


Information Disclosure in VIDEOJET Decoder and Operator Client application in BVMS

BOSCH-SA-464066-BT: BVMS Operator Client application or the VIDEOJET Decoder VJD-7513 may receive an *unencrypted* live-stream from a camera which allows a man-in-the-middle attacker to compromise the confidential video streams. This happens only in combination with cameras of platform CPP13 or CPP14.x when encrypted UDP connection is configured. Please be aware that encrypted UDP connection is default setting («Secure Connection» setting) for all cameras added into BVMS.

https://psirt.bosch.com/security-advisories/bosch-sa-464066-bt.html


[R1] Nessus Network Monitor 6.1.0 Fixes Multiple Third-party Vulnerabilities

Nessus Network Monitor leverages third-party software to help provide underlying functionality. Several third-party components (OpenSSL and moment.js) were found to contain vulnerabilities, and updated versions have been made available by the providers.

https://www.tenable.com/security/tns-2022-19


Security Bulletin: Rational Performance Tester contains a vulnerability which could affect Eclipse Jetty. Rational Performance Tester has taken steps to mitigate this vulnerability.

https://www.ibm.com/blogs/psirt/security-bulletin-rational-performance-tester-contains-a-vulnerability-which-could-affect-eclipse-jetty-rational-performance-tester-has-taken-steps-to-mitigate-this-vulnerability/


Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-governance-and-intelligence-is-vulnerable-to-sensitive-information-exposure-cve-2021-35550-3/


Security Bulletin: This Power System update is being released to address CVE 2022-0778

https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-is-being-released-to-address-cve-2022-0778-2/


Security Bulletin: Operations Dashboard is vulnerable to multiple Golang Go vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vulnerable-to-multiple-golang-go-vulnerabilities/


Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-28/


Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-27/


Security Bulletin: IBM Security Guardium is affected by a PolicyKit vulnerability (CVE-2021-4034)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-policykit-vulnerability-cve-2021-4034-3/


Security Bulletin: IBM Maximo Asset Management is vulnerable to authentication bypass (CVE-2022-40616)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-management-is-vulnerable-to-authentication-bypass-cve-2022-40616/


Security Bulletin: IBM Security Guardium is affected by a Missing HTTP Strict-Transport-Security Header vulnerability (CVE-2021-39072)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-a-missing-http-strict-transport-security-header-vulnerability-cve-2021-39072-3/


Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-fasterxml-jackson-databind-vulnerabilities-cve-2020-25649-x-force-id-217968-4/


Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-26/


Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076)

https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-path-traversal-and-crypto-vulnerabilities-cve-2021-29425-cve-2021-39076-4/


Microsoft Endpoint Configuration Manager: Schwachstelle ermöglicht Umgehen von Sicherheitseinstellungen

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1488


TIBCO Spotfire: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1487


Grafana: Mehrere Schwachstellen ermöglichen Privilegieneskalation

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1486


Hashicorp Vault: Schwachstelle ermöglicht Offenlegung von Informationen

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1485


Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1492