End-of-Day report
Timeframe: Donnerstag 19-10-2023 18:00 - Freitag 20-10-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Malvertising: Angreifer nutzen Punycode für gefälschte Webseiten
Cyberkriminelle werben über Google Ads etwa mit gefälschten KeePass-URLs mit Punycode-Zeichen. Die beworbene Seite liefert Malware aus.
https://www.heise.de/-9339448.html
SolarWinds behebt Codeschmuggel in Access Rights Manager
Die Software zur Verwaltung von Zugriffsberechtigungen hat unter anderem Fehler, die eine Rechteausweitung ermöglichten. Admins sollten zügig handeln.
https://www.heise.de/-9339437.html
VMware dichtet hochriskante Lecks in Aria, Fusion und Workstation ab
VMware hat Updates für VMNware Aria Operations for Logs, VMware Fusion sowie VMware Workstation veröffentlicht. Sie schließen teils hochriskante Lücken.
https://www.heise.de/-9339932.html
IT-Sicherheitsbehörden geben Tipps für sichere Software und Phishing-Prävention
Die US-Sicherheitsbehörde CISA veröffentlicht mit internationalen Partnern je eine Handreichung zu sicherem Software-Entwurf und zur Phishing-Prävention.
https://www.heise.de/-9339899.html
Cybersicherheit ermöglichen - BSI veröffentlicht Checklisten für Kommunen
Das BSI bietet Kommunen nun einen unkomplizierten und ressourcenschonenden Einstieg in den etablierten IT-Grundschutz des BSI.
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2023/231020_WiBA-Checklisten.html
Fake Corsair job offers on LinkedIn push DarkGate malware
A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine.
https://www.bleepingcomputer.com/news/security/fake-corsair-job-offers-on-linkedin-push-darkgate-malware/
ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges
A new information stealer named ExelaStealer has become the latest entrant to an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems. "ExelaStealer is a largely open-source infostealer with paid customizations available from the threat actor," Fortinet FortiGuard Labs researcher James Slaughter said [...]
https://thehackernews.com/2023/10/exelastealer-new-low-cost-cybercrime.html
Ghost In The Wire, Sonic In The Wall - Adventures With SonicWall
Here at watchTowr, we just love attacking high-privilege devices [...]. A good example of these is the device class of -next generation- firewalls, which usually include VPN termination functionality (meaning they-re Internet-accessible by network design). These devices patrol the border between the untrusted Internet and an organisation-s softer internal network, and so are a great place for attackers to elevate their status from -outsiders- to -trusted users-.
https://labs.watchtowr.com/ghost-in-the-wire-sonic-in-the-wall/
VMware Aria Operations for Logs CVE-2023-34051 Technical Deep Dive and IOCs
Earlier this year we reported the technical details for VMSA-2023-0001 affecting VMware Aria Operations for Logs (formerly VMware vRealize Log Insight). [...] During the course of that investigation, we noticed the fix provided by VMware was not sufficient to stop a motivated attacker. We reported this new issue to VMware and it was fixed in VMSA-2023-0021. This post will discuss the technical details of CVE-2023-34051, an authentication bypass that allows remote code execution as root.
https://www.horizon3.ai/vmware-aria-operations-for-logs-cve-2023-34051-technical-deep-dive-and-iocs/
Concerns grow as LockBit knockoffs increasingly target popular vulnerabilities
Hackers are using a leaked toolkit used to create do-it-yourself versions of the popular LockBit ransomware, making it easy for even amateur cybercriminals to target common vulnerabilities. The LockBit ransomware gang, which has attacked thousands of organizations across the world, had the toolkit leaked in September 2022 by a disgruntled affiliate.
https://therecord.media/lockbit-knockoffs-proliferate-leaked-toolkit
Attacks on 5G Infrastructure From User Devices: ASN.1 Vulnerabilities in 5G Cores
In the second part of this series, we will examine how attackers can trigger vulnerabilities by sending control messages masquerading as user traffic to cross over from user plane to control plane.
https://www.trendmicro.com/en_us/research/23/j/asn1-vulnerabilities-in-5g-cores.html
Vulnerabilities
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
Version 1.2: Added access list mitigation.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
Cisco IOS XE Software Web UI Command Injection Vulnerability
Version 1.1: Added information about active exploitation attempts.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webcmdinjsh-UFJxTgZD
RT 5.0.5 Release Notes
RT 5.0.5 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, there are several important security updates provided in this release. See below for details.
https://docs.bestpractical.com/release-notes/rt/5.0.5
RT 4.4.7 Release Notes
RT 4.4.7 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, there are several important security updates provided in this release. See below for details.
https://docs.bestpractical.com/release-notes/rt/4.4.7
VMSA-2023-0022
VMware Fusion and Workstation updates address privilege escalation and information disclosure vulnerabilities (CVE-2023-34044, CVE-2023-34045, CVE-2023-34046)
https://www.vmware.com/security/advisories/VMSA-2023-0022.html
VMSA-2023-0021
VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052)
https://www.vmware.com/security/advisories/VMSA-2023-0021.html
Security updates for Friday
Security updates have been issued by Debian (linux-5.10 and webkit2gtk), Fedora (matrix-synapse and trafficserver), Mageia (chromium-browser-stable, ghostscript, libxpm, and ruby-RedCloth), Oracle (.NET 7.0, curl, dotnet7.0, galera, mariadb, go-toolset, golang, java-1.8.0-openjdk, and python-reportlab), Red Hat (php, php:8.0, tomcat, and varnish), Slackware (httpd), SUSE (bluetuith, grub2, kernel, rxvt-unicode, and suse-module-tools), and Ubuntu (dotnet6, dotnet7, dotnet8, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15,linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-intel-iotg, linux-oem-6.1, linux-raspi, and mutt).
https://lwn.net/Articles/948368/
Kritische Sicherheitslücke in Citrix NetScaler ADC und NetScaler Gateway - aktiv ausgenutzt - Updates verfügbar
Eine kritische Schwachstelle in Citrix/Netscaler ADC und Citrix Gateway erlaubt es unauthentifizierten Angreifer:innen, bestehende, authentifizierte Sessions zu übernehmen. Diese Schwachstelle wird zumindest seit Ende August 2023 bei Angriffen gegen Ziele in verschiedenen Sektoren aktiv ausgenutzt.
https://cert.at/de/warnungen/2023/10/kritische-sicherheitslucke-in-citrix-netscaler-adc-und-netscaler-gateway-aktiv-ausgenutzt-updates-verfugbar
Multiple vulnerabilities in ctrlX WR21 HMI
BOSCH-SA-175607: The operating system of the ctrlX WR21 HMI has several vulnerabilities when the Kiosk mode is used in conjunction with Google Chrome. In worst case, an attacker with physical access to the device might gain full root access without prior authentication by combining the exploitation of those vulnerabilities.
https://psirt.bosch.com/security-advisories/bosch-sa-175607.html
CVE-2023-38041 New client side release to address a privilege escalation on Windows user machines
A vulnerability exists on all versions of the Ivanti Secure Access Client Below 22.6R1 that would allow an unprivileged local user to gain unauthorized elevated privileges on the affected system.
https://forums.ivanti.com/s/article/CVE-2023-38041-New-client-side-release-to-address-a-privilege-escalation-on-Windows-user-machines
Decision Optimization in IBM Cloud Pak for Data is affected by a vulnerability in Node.js semver package (CVE-2022-25883)
https://www.ibm.com/support/pages/node/7056400
Multiple vulnerabilities in IBM Semeru Runtime affect IBM ILOG CPLEX Optimization Studio (CVE-2023-21968, CVE-2023-21937, CVE-2023-21938)
https://www.ibm.com/support/pages/node/7056397
Improper input validation may lead to a Denial of Service attack in web services with IBM CICS TX Standard and IBM CICS TX Advanced
https://www.ibm.com/support/pages/node/7056433
IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to electron
https://www.ibm.com/support/pages/node/7056425
Improper input validation may lead to a Denial of Service attack in web services with IBM TXSeries for Multiplatforms
https://www.ibm.com/support/pages/node/7056429
IBM Integration Bus is vulnerable to a denial of service due to Eclipse Mosquitto
https://www.ibm.com/support/pages/node/7056456
IBM App Connect Enterprise Toolkit and IBM Integration Bus Toolkit are vulnerable to a denial of service due to Okio GzipSource (CVE-2023-3635).
https://www.ibm.com/support/pages/node/7056518