Tageszusammenfassung - 20.01.2023

End-of-Day report

Timeframe: Donnerstag 19-01-2023 18:00 - Freitag 20-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Exploit released for critical ManageEngine RCE bug, patch now

Proof-of-concept exploit code is now available for a remote code execution (RCE) vulnerability in multiple Zoho ManageEngine products.

https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-manageengine-rce-bug-patch-now/


Exploiting null-dereferences in the Linux kernel

While the null-dereference bug itself was fixed in October 2022, the more important fix was the introduction of an oops limit which causes the kernel to panic if too many oopses occur. While this patch is already upstream, it is important that distributed kernels also inherit this oops limit and backport it to LTS releases if we want to avoid treating such null-dereference bugs as full-fledged security issues in the future.

https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html


Importance of signing in Windows environments, (Fri, Jan 20th)

NTLM relaying has been a plague in Windows environments for many years and we have witnessed many exploits that rely on the fact that it is possible to relay NTLM authentication attempts to various target services.

https://isc.sans.edu/diary/rss/29456


Vulnerable WordPress Sites Compromised with Different Database Infections

Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels. We recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals.

https://blog.sucuri.net/2023/01/vulnerable-wordpress-sites-compromised-with-different-database-infections.html


New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability

Earlier this month, Fortinet disclosed that unknown hacking groups have capitalized on the shortcoming to target governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing commands sent by a remote server.

https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.html


Neue Love-Scam Masche: Wenn die Internetbekanntschaft Sie zum Online-Handel überredet

Betrügerische Internetbekanntschaften versuchen auf unterschiedlichsten Wegen an Ihr Geld zu kommen. Bei einer neuen Masche erschleichen sich die Kriminellen Ihr Vertrauen, um Sie später auf den Online-Marktplatz haremark.

https://www.watchlist-internet.at/news/neue-love-scam-masche-wenn-die-internetbekanntschaft-sie-zum-online-handel-ueberredet/


CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion

n this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Adobe ColdFusion.

https://www.thezdi.com/blog/2023/1/18/cve-2022-35690-unauthenticated-rce-in-adobe-coldfusion


NCSC to retire Logging Made Easy

The NCSC is retiring Logging Made Easy (LME). After 31 March 2023, we will no longer support LME, and the GitHub page will close shortly after.

https://www.ncsc.gov.uk/blog-post/ncsc-to-retire-logging-made-easy

Vulnerabilities

Cisco: Hochriskantes Sicherheitsleck in Unified Communications Manager

In der Unified Communications Manager-Software von Cisco klafft eine Sicherheitslücke mit hohem Risiko. Der Hersteller stellt Updates zum Schließen bereit.

https://heise.de/-7465203


Technical Advisory - Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434)

The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications.

https://research.nccgroup.com/2023/01/20/technical-advisory-multiple-vulnerabilities-in-the-galaxy-app-store-cve-2023-21433-cve-2023-21434/


Security updates for Friday

Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield).

https://lwn.net/Articles/920646/


Vulnerability Spotlight: XSS vulnerability in Ghost CMS

The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation.

https://blog.talosintelligence.com/vulnerability-spotlight-xss-vulnerability-in-ghost-cms/


Hitachi Energy PCU400

https://us-cert.cisa.gov/ics/advisories/icsa-23-019-01


;">uniFLOW MOM Tech Support Potential Data Exposure Vulnerability - 20 January 2023

https://www.canon-europe.com/support/product-security-latest-news/


Vulnerability in minimatch affects IBM Process Mining . CVE-2022-3517

https://www.ibm.com/support/pages/node/6856471


Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson

https://www.ibm.com/support/pages/node/6856659


Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson

https://www.ibm.com/support/pages/node/6856661


Liberty is vulnerable to denial of service due to GraphQL Java affecting IBM TXSeries for Multiplatforms

https://www.ibm.com/support/pages/node/6856687


IBM UrbanCode Release is affected by CVE-2022-42252

https://www.ibm.com/support/pages/node/6856719


IBM UrbanCode Release is affected by CVE-2022-42252

https://www.ibm.com/support/pages/node/6856717


IBM UrbanCode Release is affected by CVE-2022-34305

https://www.ibm.com/support/pages/node/6856713


IBM UrbanCode Release is affected by CVE-2022-45143

https://www.ibm.com/support/pages/node/6856721