Tageszusammenfassung - 20.10.2023

End-of-Day report

Timeframe: Donnerstag 19-10-2023 18:00 - Freitag 20-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter


Malvertising: Angreifer nutzen Punycode für gefälschte Webseiten

Cyberkriminelle werben über Google Ads etwa mit gefälschten KeePass-URLs mit Punycode-Zeichen. Die beworbene Seite liefert Malware aus.


SolarWinds behebt Codeschmuggel in Access Rights Manager

Die Software zur Verwaltung von Zugriffsberechtigungen hat unter anderem Fehler, die eine Rechteausweitung ermöglichten. Admins sollten zügig handeln.


VMware dichtet hochriskante Lecks in Aria, Fusion und Workstation ab

VMware hat Updates für VMNware Aria Operations for Logs, VMware Fusion sowie VMware Workstation veröffentlicht. Sie schließen teils hochriskante Lücken.


IT-Sicherheitsbehörden geben Tipps für sichere Software und Phishing-Prävention

Die US-Sicherheitsbehörde CISA veröffentlicht mit internationalen Partnern je eine Handreichung zu sicherem Software-Entwurf und zur Phishing-Prävention.


Cybersicherheit ermöglichen - BSI veröffentlicht Checklisten für Kommunen

Das BSI bietet Kommunen nun einen unkomplizierten und ressourcenschonenden Einstieg in den etablierten IT-Grundschutz des BSI.


Fake Corsair job offers on LinkedIn push DarkGate malware

A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine.


ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges

A new information stealer named ExelaStealer has become the latest entrant to an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems. "ExelaStealer is a largely open-source infostealer with paid customizations available from the threat actor," Fortinet FortiGuard Labs researcher James Slaughter said [...]


Ghost In The Wire, Sonic In The Wall - Adventures With SonicWall

Here at watchTowr, we just love attacking high-privilege devices [...]. A good example of these is the device class of -next generation- firewalls, which usually include VPN termination functionality (meaning they-re Internet-accessible by network design). These devices patrol the border between the untrusted Internet and an organisation-s softer internal network, and so are a great place for attackers to elevate their status from -outsiders- to -trusted users-.


VMware Aria Operations for Logs CVE-2023-34051 Technical Deep Dive and IOCs

Earlier this year we reported the technical details for VMSA-2023-0001 affecting VMware Aria Operations for Logs (formerly VMware vRealize Log Insight). [...] During the course of that investigation, we noticed the fix provided by VMware was not sufficient to stop a motivated attacker. We reported this new issue to VMware and it was fixed in VMSA-2023-0021. This post will discuss the technical details of CVE-2023-34051, an authentication bypass that allows remote code execution as root.


Concerns grow as LockBit knockoffs increasingly target popular vulnerabilities

Hackers are using a leaked toolkit used to create do-it-yourself versions of the popular LockBit ransomware, making it easy for even amateur cybercriminals to target common vulnerabilities. The LockBit ransomware gang, which has attacked thousands of organizations across the world, had the toolkit leaked in September 2022 by a disgruntled affiliate.


Attacks on 5G Infrastructure From User Devices: ASN.1 Vulnerabilities in 5G Cores

In the second part of this series, we will examine how attackers can trigger vulnerabilities by sending control messages masquerading as user traffic to cross over from user plane to control plane.



Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

Version 1.2: Added access list mitigation.


Cisco IOS XE Software Web UI Command Injection Vulnerability

Version 1.1: Added information about active exploitation attempts.


RT 5.0.5 Release Notes

RT 5.0.5 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, there are several important security updates provided in this release. See below for details.


RT 4.4.7 Release Notes

RT 4.4.7 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, there are several important security updates provided in this release. See below for details.



VMware Fusion and Workstation updates address privilege escalation and information disclosure vulnerabilities (CVE-2023-34044, CVE-2023-34045, CVE-2023-34046)



VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052)


Security updates for Friday

Security updates have been issued by Debian (linux-5.10 and webkit2gtk), Fedora (matrix-synapse and trafficserver), Mageia (chromium-browser-stable, ghostscript, libxpm, and ruby-RedCloth), Oracle (.NET 7.0, curl, dotnet7.0, galera, mariadb, go-toolset, golang, java-1.8.0-openjdk, and python-reportlab), Red Hat (php, php:8.0, tomcat, and varnish), Slackware (httpd), SUSE (bluetuith, grub2, kernel, rxvt-unicode, and suse-module-tools), and Ubuntu (dotnet6, dotnet7, dotnet8, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15,linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-intel-iotg, linux-oem-6.1, linux-raspi, and mutt).


Kritische Sicherheitslücke in Citrix NetScaler ADC und NetScaler Gateway - aktiv ausgenutzt - Updates verfügbar

Eine kritische Schwachstelle in Citrix/Netscaler ADC und Citrix Gateway erlaubt es unauthentifizierten Angreifer:innen, bestehende, authentifizierte Sessions zu übernehmen. Diese Schwachstelle wird zumindest seit Ende August 2023 bei Angriffen gegen Ziele in verschiedenen Sektoren aktiv ausgenutzt.


Multiple vulnerabilities in ctrlX WR21 HMI

BOSCH-SA-175607: The operating system of the ctrlX WR21 HMI has several vulnerabilities when the Kiosk mode is used in conjunction with Google Chrome. In worst case, an attacker with physical access to the device might gain full root access without prior authentication by combining the exploitation of those vulnerabilities.


CVE-2023-38041 New client side release to address a privilege escalation on Windows user machines

A vulnerability exists on all versions of the Ivanti Secure Access Client Below 22.6R1 that would allow an unprivileged local user to gain unauthorized elevated privileges on the affected system.


Decision Optimization in IBM Cloud Pak for Data is affected by a vulnerability in Node.js semver package (CVE-2022-25883)


Multiple vulnerabilities in IBM Semeru Runtime affect IBM ILOG CPLEX Optimization Studio (CVE-2023-21968, CVE-2023-21937, CVE-2023-21938)


Improper input validation may lead to a Denial of Service attack in web services with IBM CICS TX Standard and IBM CICS TX Advanced


IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to electron


Improper input validation may lead to a Denial of Service attack in web services with IBM TXSeries for Multiplatforms


IBM Integration Bus is vulnerable to a denial of service due to Eclipse Mosquitto


IBM App Connect Enterprise Toolkit and IBM Integration Bus Toolkit are vulnerable to a denial of service due to Okio GzipSource (CVE-2023-3635).