End-of-Day report
Timeframe: Freitag 01-12-2023 18:00 - Montag 04-12-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks
The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware.
https://thehackernews.com/2023/12/logofail-uefi-vulnerabilities-expose.html
New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices
Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect thats capable of targeting routers and IoT devices.
https://thehackernews.com/2023/12/new-p2pinfect-botnet-mips-variant.html
Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs
Today, CISA, (FBI), (NSA), (EPA), and (INCD) released a joint Cybersecurity Advisory (CSA) IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors in response to the active exploitation of Unitronics programmable logic controllers (PLCs) in multiple sectors.
https://www.cisa.gov/news-events/alerts/2023/12/01/cisa-and-partners-release-joint-advisory-irgc-affiliated-cyber-actors-exploiting-plcs
Phishing-Angriffe: Betrüger missbrauchen Hotelbuchungsplattform booking.com
Mit auf Datendiebstahl spezialisierte Malware griffen Cyberkriminelle zunächst Hotelmitarbeiter an und verschickten dann über Booking betrügerische Mails.
https://www.heise.de/-9547507
Update your iPhones! Apple fixes two zero-days in iOS
Apple has released an emergency security update for two zero-day vulnerabilities which may have already been exploited.
https://www.malwarebytes.com/blog/news/2023/12/update-your-iphones-apple-fixes-two-zero-days-in-ios
PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin
The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user-s site with an identifier of CVE-2023-45124, which is not currently a valid CVE.
https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-scam-tricks-users-into-installing-backdoor-plugin/
Vorsicht vor gefälschter Microsoft-Sicherheitswarnung
Beim Surfen im Internet poppt plötzlich eine Sicherheitswarnung auf: -Aus Sicherheitsgründen wurde das Gerät blockiert. Windows-Support Anrufen-. Zusätzlich wird eine Computerstimme abgespielt, die Ihnen erklärt, dass Ihre Kreditkarten- und Facebookdaten sowie persönliche Daten an Hacker weitergegeben werden. Für technische Unterstützung sollen Sie eine Nummer anrufen.
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschter-microsoft-sicherheitswarnung/
Zyxel warnt vor kritischen Sicherheitslücken in NAS-Geräten
Betreibt jemand ein Zyxel NAS in seiner Umgebung? Der taiwanesische Hersteller hat gerade vor mehreren Schwachstellen in der Firmware dieser Geräte gewarnt. Drei kritische Schwachstellen ermöglichen es einem nicht authentifizierten Angreifer Betriebssystembefehle auf anfälligen NAS-Geräten (Network-Attached Storage) auszuführen.
https://www.borncity.com/blog/2023/12/02/zyxel-warnt-vor-kritischen-sicherheitslcken-in-nas-gerten/
Vulnerabilities
SQUID-2023:7 Denial of Service in HTTP Message Processing
Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing[..] This problem allows a remote attacker to perform Denial of Service when sending easily crafted HTTP Messages.
https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9
SQUID-2023:8 Denial of Service in Helper Process management
Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. [..] This problem allows a trusted client or remote server to perform a Denial of Service attack when the Squid proxy is under load.
https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27
SQUID-2023:9 Denial of Service in HTTP Collapsed Forwarding
Due to a Use-After-Free bug Squid is vulnerable to a Denial of Service attack against collapsed forwarding [..] This problem allows a remote client to perform Denial of Service attack on demand when Squid is configured with collapsed forwarding.
https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5
GitLab Security Release: 16.6.1, 16.5.3, 16.4.3
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. CVE IDs: CVE-2023-6033, CVE-2023-6396, CVE-2023-3949, CVE-2023-5226, CVE-2023-5995, CVE-2023-4912, CVE-2023-4317, CVE-2023-3964, CVE-2023-4658, CVE-2023-3443
https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1-released/
Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call
Sonos Era 100 is a smart speaker released in 2023. A vulnerability exists in the U-Boot component of the firmware which would allow for persistent arbitrary code execution with Linux kernel privileges. This vulnerability could be exploited either by an attacker with physical access to the device, or by obtaining write access to the flash memory through a separate runtime vulnerability. [..] Sonos state an update was released on 2023-11-15 which remediated the issue.
https://research.nccgroup.com/2023/12/04/technical-advisory-sonos-era-100-secure-boot-bypass-through-unchecked-setenv-call/
Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution
In this blog post, we detailed an Arbitrary File Upload vulnerability within the MW WP Form plugin affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 5.0.2 of the plugin. [..] CVE ID: CVE-2023-6316 / CVSS Score: 9.8 (Critical)
https://www.wordfence.com/blog/2023/12/update-asap-critical-unauthenticated-arbitrary-file-upload-in-mw-wp-form-allows-malicious-code-execution/
Security updates for Monday
Security updates have been issued by Debian (amanda, ncurses, nghttp2, opendkim, rabbitmq-server, and roundcube), Fedora (golang-github-openprinting-ipp-usb, kernel, kernel-headers, kernel-tools, and samba), Mageia (audiofile, galera, libvpx, and virtualbox), Oracle (kernel and postgresql:13), SUSE (openssl-3, optipng, and python-Pillow), and Ubuntu (firefox).
https://lwn.net/Articles/953702/
Ruckus Access Point vulnerable to cross-site scripting
https://jvn.jp/en/jp/JVN45891816/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/