Tageszusammenfassung - 18.01.2023

End-of-Day report

Timeframe: Dienstag 17-01-2023 18:00 - Mittwoch 18-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

RC4 Is Still Considered Harmful

Ive been spending a lot of time researching Windows authentication implementations, specifically Kerberos. In June 2022 I found an interesting issue number 2310 with the handling of RC4 encryption that allowed you to authenticate as another user if you could either interpose on the Kerberos network traffic to and from the KDC or directly if the user was configured to disable typical pre-authentication requirements. This blog post goes into more detail [...]

https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html


Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware, (Wed, Jan 18th)

https://isc.sans.edu/diary/rss/29448


Is WordPress Secure?

According to W3Techs, 43.2% of all websites on the internet use WordPress. And of all websites that use a CMS (Content Management System) more than half (64%) leverage WordPress to power their blog or website. Unfortunately, since WordPress has such a large market share it has also become a prime target for attackers. You might be wondering whether WordPress is safe to use. And the short answer is yes - WordPress core is safe to use, but only if you maintain it to the latest version and [...]

https://blog.sucuri.net/2023/01/is-wordpress-secure.html


CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9)

https://thehackernews.com/2023/01/cisa-warns-of-flaws-in-siemens-ge.html


Jetzt patchen! Tausende Firewalls von Sophos angreifbar

Sicherheitsforscher haben das Internet auf verwundbare Sophos-Firewalls gescannt und sind fündig geworden. Sicherheitspatches gibt es seit Dezember 2022.

https://heise.de/-7462565


MSI-Motherboards sollen trotz aktivem Secure Boot manipulierte Systeme starten

Ein Sicherheitsforscher hat herausgefunden, dass der Schutzmechanismus Secure Boot auf MSI-Motherboards standardmäßig aktiv ist, aber trotzdem alles durchwinkt.

https://heise.de/-7462913


Hochriskante Sicherheitslücken in Qt "nur ein Bug"

IT-Sicherheitsforscher von Cisco Thalos haben hochriskante Sicherheitslücken in Qt-QML gefunden. Qt sieht App-Entwickler am Zuge und stuft sie nur als Bug ein.

https://heise.de/-7462956


Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability

Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns.

https://www.securityweek.com/vendors-actively-bypass-security-patch-year-old-magento-vulnerability


The Defender-s Guide to Windows Services

This is the second installment of the Defender-s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them.

https://posts.specterops.io/the-defenders-guide-to-windows-services-67c1711ecba7?source=rssf05f8696e3cc4


Silo, or not silo, that is the question

As we (security folks) were working on the hardening of WSUS update servers, we had to answer an interesting question dealing with how to best isolate a sensitive server like WSUS on on-premises Active Directory. The question was: should I put my WSUS server into my T0 silo?

https://medium.com/tenable-techblog/silo-or-not-silo-that-is-the-question-d0141d0cbb78?source=rss68728ef067324


Elastic IP Transfer: Identifying and Mitigating Risks from a New Attack-Vector on AWS

Elastic IPs (EIPs) are public and static IPv4 addresses provided by AWS. EIPs can be viewed as a pool of IPv4 addresses, accessible from the internet, that can be used in numerous ways. Once an EIP is allocated to an AWS account, it can be associated with a single compute instance or an elastic network [...]

https://orca.security/resources/blog/elastic-ip-transfer-attack-vector-on-aws/


An in-depth HTTP Strict Transport Security Tutorial

HSTS is an Internet standard and policy that tells the browser to only interact with a website using a secure HTTPS connection. Check out this article to learn how to leverage the security of your website and customers- data and the security benefits you-ll gain from doing so.

https://www.trendmicro.com/en_us/devops/23/a/http-strict-transport-security-tutorial.html


Kriminelle versprechen Geld für Haarspenden auf Job-Börsen, aber zahlen nicht!

Wenn Sie auf Facebook in diversen Job-Börsen nach einer Beschäftigung suchen, stoßen Sie womöglich auf ein verlockendes Angebot für Ihre Haare. Um für Krebskranke Perücken anzufertigen, ist man bereit, Ihnen bis zu 2000 Euro für Ihre Haare zu bezahlen. Achtung: Wenn Sie hier Kontakt aufnehmen, gibt man Ihnen genaue Anweisungen zum Abschneiden Ihrer Haare und verspricht eine Bezahlung bei Abholung. Doch dann sind Ihre Haare ab, Sie werden blockiert und [...]

https://www.watchlist-internet.at/news/kriminelle-versprechen-geld-fuer-haarspenden-auf-job-boersen-aber-zahlen-nicht/

Vulnerabilities

Patchday: Sicherheitslücken in über 100 Oracle-Produkten

Das erste Oracle Critical Patch Update des Jahres 2023 liefert Beschreibungen und Updates für Sicherheitslücken in mehr als 100 Produkten des Unternehmens.

https://heise.de/-7462438


Versionsverwaltung: Git schließt zwei kritische Lücken in Version 2.39

Sicherheitsforscher haben Lücken in Git entdeckt, durch die beliebiger Code ausgeführt werden konnte. Patches stehen bereit, Nutzer sollten umgehend updaten.

https://heise.de/-7462680


Security updates for Wednesday

Security updates have been issued by Fedora (awstats), Oracle (dpdk, libxml2, postgresql:10, systemd, and virt:ol and virt-devel:rhel), Red Hat (kernel), Slackware (git, httpd, libXpm, and mozilla), SUSE (libzypp-plugin-appdata), and Ubuntu (git, libxpm, linux-ibm-5.4, linux-oem-5.14, and ruby2.3).

https://lwn.net/Articles/920318/


Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).Two security defects were identified in TP-Link WR710N-V1-151022 and Archer-C5-V2-160201 SOHO (small office/home office) routers, allowing attackers to execute code, crash devices, or guess login credentials.

https://www.securityweek.com/remote-code-execution-vulnerabilities-found-tp-link-netcomm-routers


IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities.

https://www.ibm.com/support/pages/node/6850801


Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product

http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp-f18e962a-en


Security Advisory - Misinterpretation of Input in a Huawei Printer Product

http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moiiahpp-a2a7a816-en


Security Advisory - Data Processing Error Vulnerability in a Huawei Band

http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-dpeviahb-44e16f60-en


Security Advisory - Buffer Overflow Vulnerability in a Huawei Printer Product

http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-boviahpp-7a1783e1-en


Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product

http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp-4181d272-en


Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer

http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-5deb7c23-en