Tageszusammenfassung - 02.11.2023

End-of-Day report

Timeframe: Dienstag 31-10-2023 18:00 - Donnerstag 02-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

New CVSS 4.0 vulnerability severity rating standard released

The Forum of Incident Response and Security Teams (FIRST) has officially released CVSS v4.0, the next generation of its Common Vulnerability Scoring System standard, eight years after CVSS v3.0, the previous major version.

https://www.bleepingcomputer.com/news/security/new-cvss-40-vulnerability-severity-rating-standard-released/

Nur zwei wurden gepatcht: Schwachstellen in 34 Treibern gefährden Windows-Systeme

Sicherheitsforscher der VMware Threat Analysis Unit (Tau) haben Schwachstellen in insgesamt 34 verschiedenen Windows-Gerätetreibern identifiziert. Böswillige Akteure können Firmwares gezielt manipulieren und sich auf Zielsystemen höhere Rechte verschaffen. "Alle Treiber geben Nicht-Admin-Benutzern volle Kontrolle über die Geräte", erklären die Forscher in ihrem Bericht.

https://www.golem.de/news/nur-zwei-wurden-gepatcht-schwachstellen-in-34-treibern-gefaehrden-windows-systeme-2311-179046.html

Windows 11, version 23H2 security baseline

This release includes several changes to further assist in the security of enterprise customers. Changes have been made to provide additional protections to the local admin account, Microsoft Defender Antivirus updates, and a new setting in response to an MSRC bulletin.

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-23h2-security-baseline/ba-p/3967618

Moderne Telefonbetrüger: Wie Betrüger Geld mit nur einem Telefonanruf stehlen

In diesem Blogbeitrag wird eine Schwachstelle in einer Bankanwendung beschrieben, die es Angreifern ermöglicht, unbemerkt Geldtransaktionen von bis zu 5.000 - im Namen anderer Benutzer durchzuführen. Darüber hinaus werden weitere mögliche Angriffsszenarien beschrieben, mit denen persönliche Informationen abgegriffen werden können.

https://sec-consult.com/de/blog/detail/moderne-telefonbetrueger-wie-betrueger-geld-mit-nur-einem-telefonanruf-stehlen/

Jetzt patchen! Attacken auf BIG-IP-Appliances beobachtet

F5 warnt vor Angriffen auf BIG-IP-Appliances. Sicherheitspatches stehen bereit. Eine Lücke gilt als kritisch.

https://www.heise.de/-9350108

Sicherheitslücken: Angreifer können Cisco-Firewalls manipulieren

Mehrere Schwachstellen gefährden unter anderem Cisco Firepower und Identity Services Engine. Patches sind verfügbar.

https://www.heise.de/-9351087

MITRE ATT&CK v14 released

MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. MITRE ATT&CK v14 ATT&CK-s goal is to catalog and categorize behaviors of cyber adversaries in real-world attacks.

https://www.helpnetsecurity.com/2023/11/02/mitre-attck-v14/

Unveiling the Dark Side: A Deep Dive into Active Ransomware Families

This series will focus on TTP-s deployed by four ransomware families recently observed during NCC Group-s incident response engagements.

https://research.nccgroup.com/2023/10/31/unveiling-the-dark-side-a-deep-dive-into-active-ransomware-families/

Wer hat Mozi getötet? IoT-Zombie-Botnetz wurde endlich zu Grabe tragen

Wie ESET Research einen Kill-Switch gefunden hat, der dazu benutzt wurde, eines der am weitesten verbreiteten Botnets auszuschalten.

https://www.welivesecurity.com/de/eset-research/wer-hat-mozi-getotet-iot-zombie-botnetz-wurde-endlich-zu-grabe-tragen/

Kostenlose Webinar-Reihe -Schutz im Internet-

In Kooperation mit der Arbeiterkammer Oberösterreich veranstaltet das ÖIAT (Österreichisches Institut für angewandte Telekommunikation) eine kostenlose Webinar-Reihe zu Themen wie Online-Shopping, Internet-Betrug und Identitätsdiebstahl!

https://www.watchlist-internet.at/news/kostenlose-webinar-reihe-schutz-im-internet/

Drupal 9 is end of life - PSA-2023-11-01

Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9.

https://www.drupal.org/psa-2023-11-01

Warning Against Infostealer Infections Upon Executing Legitimate EXE Files (DLL Hijacking)

Caution is advised as an Infostealer that prompts the execution of legitimate EXE files is actively being distributed. The threat actor is distributing a legitimate EXE file with a valid signature and a malicious DLL compressed in the same directory. The EXE file itself is legitimate, but when executed in the same directory as the malicious DLL, it automatically runs that malicious DLL. This technique is called DLL hijacking and is often used in the distribution of malware.

https://asec.ahnlab.com/en/58319/

Attackers use JavaScript URLs, API forms and more to scam users in popular online game -Roblox-

Where there is a potential for profit there are also people trying to scam others. -Roblox- users can be targeted by scammers (known as -beamers- by -Roblox- players) who attempt to steal valuable items or Robux from other players. This can sometimes be made easier for the scammers because of -Roblox's- young user base. Nearly half of the game-s 65 million users are under the age of 13 who may not be as adept at spotting scams.

https://blog.talosintelligence.com/roblox-scam-overview/

Suspected Exploitation of Apache ActiveMQ CVE-2023-46604

Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October. Rapid7 observed similar indicators of compromise across the affected customer environments, both of which were running outdated versions of Apache ActiveMQ.

https://www.rapid7.com/blog/post/2023/11/01/etr-suspected-exploitation-of-apache-activemq-cve-2023-46604/

Vulnerabilities

Unpatched Powerful SSRF in Exchange OWA - Getting Response Through Attachments

As the attacker can abuse this SSRF to retrieve the content of the response, I thought it was a good finding. However, Microsoft did not agree [...] In short: this may get fixed or it may not. If they decide to fix it, the patch may appear in 1 year or in 3 years. In general, we know nothing. Accordingly, we informed Microsoft of our intention to publish this vulnerability as a 0-day advisory and a blog post. As we consider this issue potentially dangerous, we want organizations to be aware of the threat. For this reason, we are providing a PoC HTTP Request to be used for filtering and/or monitoring.

https://www.thezdi.com/blog/2023/11/1/unpatched-powerful-ssrf-in-exchange-owa-getting-response-through-attachments

Cisco Security Advisories

Cisco has released 24 new and 4 updated Security Advisories (2x Critical, 11x High, 15x Medium)

https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastPublishedStartDate=2023%2F10%2F30&lastPublishedEndDate=2023%2F11%2F02&limit=50

Critical PHPFox RCE Vulnerability Risked Social Networks

Heads up, phpFox users! A critical remote code execution vulnerability existed in the phpFox service that allowed community takeovers [...] The researcher urged all phpFox users to update to the latest phpFox release (version 4.8.14 or later) to receive the security fix.

https://latesthackingnews.com/2023/10/30/critical-phpfox-rce-vulnerability-risked-social-networks/

Webbrowser: Google Chrome bessert 15 Schwachstellen aus und kann HTTPS-Upgrades

Google hat den Webbrowser Chrome in Version 119 veröffentlicht. Sie schließt 15 Sicherheitslücken und etabliert den HTTPS-Upgrade-Mechanismus.

https://www.heise.de/-9349956

Sicherheitsupdates Nvidia: GeForce-Treiberlücken gefährden PCs

Nvidias Entwickler haben im Grafikkartentreiber und der VGPU-Software mehrere Sicherheitslücken geschlossen.

https://www.heise.de/-9351600

Solarwinds Platform 2023.4 schließt Codeschmuggel-Lücken

Solarwinds hat das Platform-Update auf Version 2023.4 veröffentlicht. Neben diversen Fehlerkorrekturen schließt es auch Sicherheitslücken.

https://www.heise.de/-9351584

VMSA-2023-0025

An open redirect vulnerability in VMware Workspace ONE UEM console was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products. (CVE-2023-20886)

https://www.vmware.com/security/advisories/VMSA-2023-0025.html

Security updates for Wednesday

Security updates have been issued by Debian (h2o, open-vm-tools, pmix, and zookeeper), Gentoo (GitPython), Oracle (firefox, java-11-openjdk, java-17-openjdk, libguestfs-winsupport, nginx:1.22, and thunderbird), Red Hat (samba), SUSE (container-suseconnect, libsndfile, and slurm), and Ubuntu (krb5, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-laptop, linux-nvidia-6.2, linux-oem-6.1, linux-raspi, open-vm-tools, and xorg-server).

https://lwn.net/Articles/949612/

Security updates for Thursday

Security updates have been issued by Gentoo (Netatalk), Oracle (firefox), Red Hat (.NET 6.0, .NET 6.0, .NET 7.0, binutils, and qemu-kvm), SUSE (gcc13, tomcat, and xorg-x11-server), and Ubuntu (axis, libvpx, linux-starfive, thunderbird, and xrdp).

https://lwn.net/Articles/949820/

[R1] Nessus Version 10.5.6 Fixes Multiple Vulnerabilities

https://www.tenable.com/security/tns-2023-36

[R1] Nessus Agent Version 10.4.3 Fixes Multiple Vulnerabilities

https://www.tenable.com/security/tns-2023-38

[R1] Nessus Version 10.6.2 Fixes Multiple Vulnerabilities

https://www.tenable.com/security/tns-2023-37

Drupal: Paragraphs admin - Moderately critical - - SA-CONTRIB-2023-049

https://www.drupal.org/sa-contrib-2023-049

Open Exchange: 2023-08-01: OXAS-ADV-2023-0004

https://documentation.open-xchange.com/security/advisories/txt/oxas-adv-2023-0004.txt

IBM Security Bulletin

https://www.ibm.com/support/pages/bulletin/

Weintek EasyBuilder Pro

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-05

Schneider Electric SpaceLogic C-Bus Toolkit

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-06

Franklin Fueling System TS-550

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-04

Red Lion Crimson

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-01

Mitsubishi Electric MELSEC iQ-F Series CPU Module

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02

Mitsubishi Electric MELSEC Series

https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-03