Tageszusammenfassung - 30.10.2023

End-of-Day report

Timeframe: Freitag 27-10-2023 18:00 - Montag 30-10-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Flying under the Radar: The Privacy Impact of multicast DNS, (Mon, Oct 30th)

The recent patch to iOS/macOS for CVE-2023-42846 made me think it is probably time to write up a reminder about the privacy impact of UPNP and multicast DNS. This is not a new issue, but it appears to have been forgotten a bit [vuln]. In particular, Apple devices are well-known for their verbose multicast DNS messages.

https://isc.sans.edu/diary/rss/30358


Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware

A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE.

https://thehackernews.com/2023/10/hackers-using-msix-app-packages-to.html


Turning a boring file move into a privilege escalation on Mac

Hopefully other people find this trick useful, beyond just Parallels. You can find the code for this exploit on my GitHub [...] 2023-07-06 - fix released in version 18.3.2.

https://pwn.win/2023/10/28/file-move-privesc-mac.html


citrix-logchecker - Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation

CERT.at stellt via Github ein Skript zur Verfügung, welches genutzt werden kann, um Citrix-Logs nach potenziell übernommenen Sessions zu durchsuchen. Sollten auffällige Sessions gefunden werden, wird eine tiefergehende Analyse empfohlen.

https://github.com/certat/citrix-logchecker


NATO und Behörden von kritischer Lücke in Lernplattform ILIAS betroffen

Gleich drei Sicherheitslücken in der Open-Source-Lernplattform ILIAS erlauben Codeschmuggel. Der Hersteller stellt eine aktualisierte Version bereit.

https://www.heise.de/-9344057.html


Forscher: Sicherheitslücken beim Roaming bleiben auch bei 5G eine große Gefahr

Mobilfunker und Regulierer unternehmen laut einem Bericht des Citizen Lab zu wenig, um Sicherheitsschwächen der Roaming- und Abrechnungsprotokolle auszumerzen.-

https://www.heise.de/-9347577.html


F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747)

F5 Networks has released hotfixes for three vulnerabilities affecting its BIG-IP multi-purpose networking devices/modules, including a critical authentication bypass vulnerability (CVE-2023-46747) that could lead to unauthenticated remote code execution (RCE). About CVE-2023-46747 Discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security, CVE-2023-46747 is a request smuggling bug in the Apache JServ Protocol (AJP) used by the vulnerable devices. [...] Praetorian has updated their blog post to include all the technical details, since Project Discovery has created a Nuclei template with the full CVE-2023-46747 attack chain.

https://www.helpnetsecurity.com/2023/10/30/cve-2023-46747/


Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack

Researchers document the Wiki-Slack attack, a new technique that uses modified Wikipedia pages to target end users on Slack.

https://www.securityweek.com/attackers-can-use-modified-wikipedia-pages-to-mount-redirection-attacks-on-slack/


Vorsicht vor Fake-Shops mit günstigen Lebensmitteln

Mittlerweile können Sie auch Lebensmittel online bestellen. Bedenken Sie aber: Auch hier gibt es betrügerische Angebote. Kriminelle bieten stark vergünstigte Lebensmittel in Fake-Shops wie leckerwurzede.com an. Wenn Sie dort bestellen, verlieren Sie Ihr Geld!

https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-mit-guenstigen-lebensmitteln/


CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys

We analyze an attack path starting with GitHub IAM exposure and leading to creation of AWS Elastic Compute instances - which TAs used to perform cryptojacking.

https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/


NetSupport Intrusion Results in Domain Compromise

NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report on a NetSupport RAT intrusion, but malicious use of this tool dates back to at least 2016. During this report, we will analyze a case from January 2023 where a NetSupport RAT was utilized to infiltrate a network. The RAT was then used for persistence and command & control, resulting in a full domain compromise.

https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/

Vulnerabilities

Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature

Version 2.4: Updated summary to indicate additional fixed releases and updated fixed release table.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z


Security updates for Monday

Security updates have been issued by Debian (distro-info, distro-info-data, gst-plugins-bad1.0, node-browserify-sign, nss, openjdk-11, and thunderbird), Fedora (chromium, curl, nghttp2, and xorg-x11-server-Xwayland), Gentoo (Dovecot, Rack, rxvt-unicode, and UnZip), Mageia (apache, bind, and vim), Red Hat (varnish:6), SUSE (nodejs12, opera, python-bugzilla, python-Django, and vorbis-tools), and Ubuntu (exim4, firefox, nodejs, and slurm-llnl, slurm-wlm).

https://lwn.net/Articles/949238/


Mattermost security updates 9.1.1 / 9.0.2 / 8.1.4 (ESR) / 7.8.13 (ESR) released

We-re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.1.1, 9.0.2, 8.1.4 (Extended Support Release), and 7.8.13 (Extended Support Release), for both Team Edition and Enterprise Edition.

https://mattermost.com/blog/mattermost-security-updates-9-1-1-9-0-2-8-1-4-esr-7-8-13-esr-released/


Inkdrop vulnerable to code injection

https://jvn.jp/en/jp/JVN48057522/


2023-10-30: Cyber Security Advisory - ABB COM600 CODESYS Vulnerabilities

https://search.abb.com/library/Download.aspx?DocumentID=2NGA001822&LanguageCode=en&DocumentPartId=&Action=Launch


Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation.

https://www.ibm.com/support/pages/node/7061278


IBM i is vulnerable to a local privilege escalation due to flaws in Management Central (CVE-2023-40685, CVE-2023-40686).

https://www.ibm.com/support/pages/node/7060686


Due to use of Java 8.0.7.11 version, InfoSphere Data Replication is vulnerable to crypto attacks.

https://www.ibm.com/support/pages/node/7061888


IBM Storage Ceph is vulnerable to a stack overflow attack in Golang (CVE-2022-24675)

https://www.ibm.com/support/pages/node/7061939


Multiple vulnerabilities exist in the IBM SDK, Java Technology Edition affect IBM Tivoli Network Manager.

https://www.ibm.com/support/pages/node/7062331


A vulnerability exists in the IBM SDK, Java Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-22045, CVE-2023-22049).

https://www.ibm.com/support/pages/node/7062330


IBM Automation Decision Services October 2023 - Multiple CVEs addressed

https://www.ibm.com/support/pages/node/7062348


Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to code injection and privilege escalation due to multiple vulnerabilities in Go

https://www.ibm.com/support/pages/node/7062415


Due to the use of OpenSSL IBM Tivoli Netcool System Service Monitors/Application Service Monitors is vulnerable to a denial of service and security bypass restrictions.

https://www.ibm.com/support/pages/node/7062426