End-of-Day report
Timeframe: Freitag 27-10-2023 18:00 - Montag 30-10-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Flying under the Radar: The Privacy Impact of multicast DNS, (Mon, Oct 30th)
The recent patch to iOS/macOS for CVE-2023-42846 made me think it is probably time to write up a reminder about the privacy impact of UPNP and multicast DNS. This is not a new issue, but it appears to have been forgotten a bit [vuln]. In particular, Apple devices are well-known for their verbose multicast DNS messages.
https://isc.sans.edu/diary/rss/30358
Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware
A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE.
https://thehackernews.com/2023/10/hackers-using-msix-app-packages-to.html
Turning a boring file move into a privilege escalation on Mac
Hopefully other people find this trick useful, beyond just Parallels. You can find the code for this exploit on my GitHub [...] 2023-07-06 - fix released in version 18.3.2.
https://pwn.win/2023/10/28/file-move-privesc-mac.html
citrix-logchecker - Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation
CERT.at stellt via Github ein Skript zur Verfügung, welches genutzt werden kann, um Citrix-Logs nach potenziell übernommenen Sessions zu durchsuchen. Sollten auffällige Sessions gefunden werden, wird eine tiefergehende Analyse empfohlen.
https://github.com/certat/citrix-logchecker
NATO und Behörden von kritischer Lücke in Lernplattform ILIAS betroffen
Gleich drei Sicherheitslücken in der Open-Source-Lernplattform ILIAS erlauben Codeschmuggel. Der Hersteller stellt eine aktualisierte Version bereit.
https://www.heise.de/-9344057.html
Forscher: Sicherheitslücken beim Roaming bleiben auch bei 5G eine große Gefahr
Mobilfunker und Regulierer unternehmen laut einem Bericht des Citizen Lab zu wenig, um Sicherheitsschwächen der Roaming- und Abrechnungsprotokolle auszumerzen.-
https://www.heise.de/-9347577.html
F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747)
F5 Networks has released hotfixes for three vulnerabilities affecting its BIG-IP multi-purpose networking devices/modules, including a critical authentication bypass vulnerability (CVE-2023-46747) that could lead to unauthenticated remote code execution (RCE). About CVE-2023-46747 Discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security, CVE-2023-46747 is a request smuggling bug in the Apache JServ Protocol (AJP) used by the vulnerable devices. [...] Praetorian has updated their blog post to include all the technical details, since Project Discovery has created a Nuclei template with the full CVE-2023-46747 attack chain.
https://www.helpnetsecurity.com/2023/10/30/cve-2023-46747/
Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack
Researchers document the Wiki-Slack attack, a new technique that uses modified Wikipedia pages to target end users on Slack.
https://www.securityweek.com/attackers-can-use-modified-wikipedia-pages-to-mount-redirection-attacks-on-slack/
Vorsicht vor Fake-Shops mit günstigen Lebensmitteln
Mittlerweile können Sie auch Lebensmittel online bestellen. Bedenken Sie aber: Auch hier gibt es betrügerische Angebote. Kriminelle bieten stark vergünstigte Lebensmittel in Fake-Shops wie leckerwurzede.com an. Wenn Sie dort bestellen, verlieren Sie Ihr Geld!
https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-mit-guenstigen-lebensmitteln/
CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys
We analyze an attack path starting with GitHub IAM exposure and leading to creation of AWS Elastic Compute instances - which TAs used to perform cryptojacking.
https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-keys-cryptojacking/
NetSupport Intrusion Results in Domain Compromise
NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report on a NetSupport RAT intrusion, but malicious use of this tool dates back to at least 2016. During this report, we will analyze a case from January 2023 where a NetSupport RAT was utilized to infiltrate a network. The RAT was then used for persistence and command & control, resulting in a full domain compromise.
https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
Vulnerabilities
Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
Version 2.4: Updated summary to indicate additional fixed releases and updated fixed release table.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
Security updates for Monday
Security updates have been issued by Debian (distro-info, distro-info-data, gst-plugins-bad1.0, node-browserify-sign, nss, openjdk-11, and thunderbird), Fedora (chromium, curl, nghttp2, and xorg-x11-server-Xwayland), Gentoo (Dovecot, Rack, rxvt-unicode, and UnZip), Mageia (apache, bind, and vim), Red Hat (varnish:6), SUSE (nodejs12, opera, python-bugzilla, python-Django, and vorbis-tools), and Ubuntu (exim4, firefox, nodejs, and slurm-llnl, slurm-wlm).
https://lwn.net/Articles/949238/
Mattermost security updates 9.1.1 / 9.0.2 / 8.1.4 (ESR) / 7.8.13 (ESR) released
We-re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.1.1, 9.0.2, 8.1.4 (Extended Support Release), and 7.8.13 (Extended Support Release), for both Team Edition and Enterprise Edition.
https://mattermost.com/blog/mattermost-security-updates-9-1-1-9-0-2-8-1-4-esr-7-8-13-esr-released/
Inkdrop vulnerable to code injection
https://jvn.jp/en/jp/JVN48057522/
2023-10-30: Cyber Security Advisory - ABB COM600 CODESYS Vulnerabilities
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001822&LanguageCode=en&DocumentPartId=&Action=Launch
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation.
https://www.ibm.com/support/pages/node/7061278
IBM i is vulnerable to a local privilege escalation due to flaws in Management Central (CVE-2023-40685, CVE-2023-40686).
https://www.ibm.com/support/pages/node/7060686
Due to use of Java 8.0.7.11 version, InfoSphere Data Replication is vulnerable to crypto attacks.
https://www.ibm.com/support/pages/node/7061888
IBM Storage Ceph is vulnerable to a stack overflow attack in Golang (CVE-2022-24675)
https://www.ibm.com/support/pages/node/7061939
Multiple vulnerabilities exist in the IBM SDK, Java Technology Edition affect IBM Tivoli Network Manager.
https://www.ibm.com/support/pages/node/7062331
A vulnerability exists in the IBM SDK, Java Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-22045, CVE-2023-22049).
https://www.ibm.com/support/pages/node/7062330
IBM Automation Decision Services October 2023 - Multiple CVEs addressed
https://www.ibm.com/support/pages/node/7062348
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to code injection and privilege escalation due to multiple vulnerabilities in Go
https://www.ibm.com/support/pages/node/7062415
Due to the use of OpenSSL IBM Tivoli Netcool System Service Monitors/Application Service Monitors is vulnerable to a denial of service and security bypass restrictions.
https://www.ibm.com/support/pages/node/7062426