End-of-Day report
Timeframe: Montag 30-01-2023 18:00 - Dienstag 31-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Exploit released for critical VMware vRealize RCE vulnerability
Horizon3 security researchers have released proof-of-concept (PoC) code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances.
VMware patched four security vulnerabilities in its vRealize log analysis tool last week, two being critical and allowing remote attackers to execute code on compromised devices.
https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-vmware-vrealize-rce-vulnerability/
Github Desktop & Atom: Signaturschlüssel von Github entwendet
Auf Github wurden Signaturschlüssel entwendet, die bald zurückgerufen werden. Betroffen sind Github Desktop und Atom für Mac, die den Dienst einstellen. (Github, Security)
https://www.golem.de/news/github-desktop-atom-signaturschluessel-von-github-entwendet-2301-171577.html
Prilex modification now targeting contactless credit card transactions
Kaspersky discovers three new variants of the Prilex PoS malware capable of blocking contactless NFC transactions on an infected device.
https://securelist.com/prilex-modification-now-targeting-contactless-credit-card-transactions/108569/
Microsoft Investigation - Threat actor consent phishing campaign abusing the verified publisher process
On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)).
https://msrc-blog.microsoft.com/2023/01/31/threat-actor-consent-phishing-campaign-abusing-the-verified-publisher-process/
Decoding DNS over HTTP(s) Requests, (Mon, Jan 30th)
I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard.
https://isc.sans.edu/diary/rss/29488
Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years
A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years."TrickGate managed to stay under the radar for years because it is transformative - it undergoes changes periodically
https://thehackernews.com/2023/01/researchers-uncover-packer-that-helped.html
Chromebook SH1MMER exploit promises admin jailbreak
Schools laptops are out if this one gets around, but beware bricking Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER.-
https://go.theregister.com/feed/www.theregister.com/2023/01/30/chromebook_exploit_sh1mmer/
Forthcoming OpenSSL Releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg.[..] These releases will be made available on Tuesday 7th February 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is High
https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html
Abstandhalten zu undurchsichtigen Multi-Level-Marketing-Angeboten wie shopwithme.biz
Wer sich aktuell auf sozialen Medien wie Facebook, YouTube oder TikTok bewegt, kommt an Werbevideos, die das große Geld versprechen, kaum vorbei. Mit minimalem Aufwand und revolutionären Methoden sollen Sie ganz einfach Unsummen an Geld verdienen können. Ähnliches verspricht man beispielsweise bei shopwithme.biz. Ein genauerer Blick lässt vermuten: Hier verdient man nicht durch den Verkauf von Produkten, sondern durch die Anwerbung neuer Kundschaft. Wir raten hier
https://www.watchlist-internet.at/news/abstandhalten-zu-undurchsichtigen-multi-level-marketing-angeboten-wie-shopwithmebiz/
A Phishing Page that Changes According to the User-s Email Address (Using Favicon)
The ASEC analysis team continuously monitors phishing emails, and we have been detecting multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user.
https://asec.ahnlab.com/en/46786/
Vulnerabilities
[20230101] - Core - CSRF within post-installation messages
Severity: Low
Versions: 4.0.0-4.2.6
Exploit type: CSRF
Description: A missing token check causes a CSRF vulnerability in the handling of post-installation messages. Affected Installs Joomla! CMS versions 4.0.0-4.2.6
Solution: Upgrade to version 4.2.7
https://developer.joomla.org:443/security-centre/890-20230101-core-csrf-within-post-installation-messages.html
[20230102] - Core - Missing ACL checks for com_actionlogs
Severity: Low
Versions: 4.0.0-4.2.6
Exploit type: Incorrect Access Control
Description: A missing ACL check allows non super-admin users to access com_actionlogs.
Solution: Upgrade to version 4.2.7
https://developer.joomla.org:443/security-centre/891-20230102-core-missing-acl-checks-for-com-actionlogs.html
VMSA-2023-0002
CVSSv3 Range: 6.5
CVE(s): CVE-2023-20856
Synopsis: VMware vRealize Operations (vROps) update addresses a CSRF bypass vulnerability
https://www.vmware.com/security/advisories/VMSA-2023-0002.html
Security updates for Tuesday
Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libXpm, pki-core, sssd, sudo, thunderbird, tigervnc, and xorg-x11-server), Debian (cinder, glance, libarchive, libhtml-stripscripts-perl, modsecurity-crs, node-moment, node-qs, nova, ruby-git, ruby-rack, and tiff), Fedora (java-17-openjdk, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-pore, rust-silver, rust-tokei, and seamonkey), Oracle (libksba), Red Hat (kernel, kernel-rt, kpatch-patch, libksba, and pcs), Scientific Linux (libksba), SUSE (apache2-mod_auth_openidc, ghostscript, libarchive, nginx, python, vim, and xen), and Ubuntu (cinder, glance, linux-raspi, nova, python-future, and sudo).
https://lwn.net/Articles/921765/
[R1] Tenable Plugin Feed ID #202212212055 Fixes Privilege Escalation Vulnerability
As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally. This could allow a malicious actor with sufficient permissions to modify environment variables and abuse an impacted plugin in order to escalate privileges. We have resolved the issue and also made several defense-in-depth fixes alongside.
https://www.tenable.com/security/tns-2023-04
WordPress Vulnerability & Patch Roundup January 2023
* SiteGround Security - SQL injection
* ExactMetrics - Cross Site Scripting (XSS)
* Enable Media Replace - Arbitrary File Upload
* Spectra WordPress Gutenberg Blocks - Stored Cross Site Scripting
* GiveWP - SQL Injection
* Better Font Awesome - Cross Site Scripting (XSS)
* LearnPress - SQL Injection
* Royal Elementor Addons and Templates - Cross Site Scripting (XSS)
* Strong Testimonials - Stored Cross Site Scripting (XSS)
* HUSKY (formerly WOOF) - PHP Object Injection
* WP Show Posts - Cross Site Scripting (XSS)
* Widgets for Google Reviews - Cross Site Scripting (XSS)
* Strong Testimonials - Cross Site Scripting (XSS)
* Simple Sitemap - Cross Site Scripting (XSS)
* Contextual Related Posts - Stored Cross Site Scripting (XSS)
* Stream - Broken Access Control
* Customer Reviews for WooCommerce - Cross Site Scripting (XSS)
* Themify Portfolio Post - Stored Cross Site Scripting
* Spotlight Social Media Feeds - Stored Cross Site Scripting (XSS)
* RSS Aggregator by Feedzy - Stored Cross Site Scripting (XSS)
https://blog.sucuri.net/2023/01/wordpress-vulnerability-patch-roundup-january-2023.html
IBM Security Bulletins)
* IBM UrbanCode Deploy (UCD) is vulnerable to cross-site scripting ( CVE-2022-46771 )
* IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go (CVE-2022-24921, CVE-2022-28327, CVE-2022-24675)
* IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)
* Multiple vulnerabilities affect IBM Sterling External Authentication Server
* Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring.
* Multiple vulnerabilities in libcURL affect IBM Rational ClearCase ( CVE-2022-42915, CVE-2022-42916, CVE-2022-32221, CVE-2022-35252, * * CVE-2022-32205, CVE-2022-32206, CVE-2022-32207 )
* IBM Sterling Secure Proxy vulnerable to multiple issues
* Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2022-2097, CVE-2022-2068)
* A vulnerability in the IBM Java Runtime affects IBM Rational ClearCase (CVE-2022-21626)
* Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote code execution due to jsonwebtoken CVE-2022-23529
* Automation Assets in IBM Cloud Pak for Integration is vulnerable to CSS injection due to Swagger CVE-2019-17495
* Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to protobuf CVE-2022-1941
* Platform Navigator and Automation Assets in IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities
* IBM Watson Knowledge Catalog on Cloud Pak for Data is vulnerable to SQL injection (CVE-2022-41731)
* IBM Virtualization Engine TS7700 is vulnerable to a denial of service threat due to use of IBM\u00ae SDK Java\u2122 Technology Edition, Version 8 (CVE-2022-21626)
* Multiple vulnerabilities affect IBM Db2\u00ae on Cloud Pak for Data and Db2 Warehouse\u00ae on Cloud Pak for Data
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in XStream
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PyPA Wheel
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js json5
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Certifi
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js decode-uri-component
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PostgreSQL
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Tomcat
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Spark
* Multiple Vulnerabilities in Java packages affect IBM Voice Gateway
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in HSQLDB
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Google Protocol Buffers
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow
https://www.ibm.com/support/pages/bulletin/
Delta Electronics DOPSoft
https://us-cert.cisa.gov/ics/advisories/icsa-23-031-01