End-of-Day report
Timeframe: Dienstag 05-12-2023 18:00 - Mittwoch 06-12-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
Trügerische Sicherheit: Angreifer können Lockdown-Modus von iOS fälschen
Der Lockdown-Modus von iOS soll iPhone-Besitzer vor Cyberangriffen schützen. Forscher haben gezeigt, wie sich die Funktion fälschen lässt.
https://www.golem.de/news/truegerische-sicherheit-angreifer-koennen-lockdown-modus-von-ios-faelschen-2312-180068.html
Whose packet is it anyway: a new RFC for attribution of internet probes, (Wed, Dec 6th)
So far, security analysts and administrators have had to rely mostly on WHOIS, RDAP, reverse DNS lookups and third-party data (e.g., data from ISC/DShield) in order to gain some idea of who might be behind a specific scan and whether it was malicious or not. However, authors of the aforementioned RFC came up with several ideas of how originators of -internet probes- might simplify their own identification.
https://isc.sans.edu/diary/rss/30456
Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks
Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023.
https://thehackernews.com/2023/12/qualcomm-releases-details-on-chip.html
Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts
Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks. The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis.
https://thehackernews.com/2023/12/alert-threat-actors-can-leverage-aws.html
Blind CSS Exfiltration: exfiltrate unknown web pages
Why would we want to do blind CSS exfiltration? Imagine youve got a blind HTML injection vulnerability but you cant get XSS because of the sites CSP or perhaps the site has a server-side or DOM-based filter such as DOMPurify. JavaScript is off the table but they allow styles because theyre just styles right? What possible damage can you do with just CSS?
https://portswigger.net/research/blind-css-exfiltration
SLAM: Neue Spectre-Variante gefährdet zukünftige CPU-Generationen
Forscher tricksen das Speichermanagement kommender CPU-Generationen aus, um vermeintlich geschützte Daten aus dem RAM zu lesen.
https://www.heise.de/-9549625
Windows 10: Security-Updates nach Support-Ende
Wer Windows 10 länger als bis 2025 betreiben will, muss entweder in die Microsoft-365-Cloud oder für Patches zahlen.
https://www.heise.de/-9566262
Achtung Betrug: Rechnung vom "Registergericht"
Aktuell läuft wohl wieder eine Betrugskampagne, in der Brief mit falschen Rechnungen von einem angeblichen "Registergericht" an Firmen geschickt werden.
https://www.borncity.com/blog/2023/12/06/achtung-betrug-rechnung-vom-registergericht/
CVE-2023-49105, WebDAV Api Authentication Bypass in ownCloud
While the 10/10 CVE-2023-49103 got all the attention last week, organizations should not quickly overlook CVE-2023-49105! CVE-2023-49105 is an authentication bypass issue affecting ownCloud from version 10.6.0 to version 10.13.0. It allows an attacker to access, modify, or delete any file without authentication if the username is known. Even if the user has no signing key configured, ownCloud accepts pre-signed URLs, enabling the attacker to generate URLs for arbitrary file operations.
https://www.greynoise.io/blog/cve-2023-49105-webdav-api-authentication-bypass-in-owncloud
Vulnerabilities
"Sierra:21" vulnerabilities impact critical infrastructure routers
A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks. [..] AirLink routers are highly regarded in the field of industrial and mission-critical applications due to high-performance 3G/4G/5G and WiFi and multi-network connectivity.
https://www.bleepingcomputer.com/news/security/sierra-21-vulnerabilities-impact-critical-infrastructure-routers/
Codeschmuggel in Atlassian-Produkten: Vier kritische Lücken aufgetaucht
Admins von Confluence, Jira und Bitbucket kommen aus dem Patchen nicht heraus: Erneut hat Atlassian dringende Updates für seine wichtigsten Produkte vorgelegt.
https://www.heise.de/-9565780
Kiosk Escape Privilege Escalation in One Identity Password Manager Secure Password Extension
The Password Manager Extension from One Identity can be used to perform two different kiosk escapes on the lock screen of a Windows client. These two escapes allow an attacker to execute commands with the highest permissions of a user with the SYSTEM role.
https://sec-consult.com/vulnerability-lab/advisory/kiosk-escape-privilege-escalation-one-identity-password-manager-secure-password-extension/
Security updates for Wednesday
Security updates have been issued by Fedora (chromium, clevis-pin-tpm2, firefox, keyring-ima-signer, libkrun, perl, perl-PAR-Packer, polymake, poppler, rust-bodhi-cli, rust-coreos-installer, rust-fedora-update-feedback, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sequoia-wot, rust-sevctl, rust-snphost, and rust-tealdeer), Mageia (samba), Red Hat (postgresql:12), SUSE (haproxy and kernel-firmware), and Ubuntu (haproxy, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.1, and redis).
https://lwn.net/Articles/953861/
Command Injection via CLI des DrayTek Vigor167 (SYSS-2023-023)
Die Kommandozeile (Command-Line Interface, CLI) des DrayTek Vigor167 mit der Modemfirmware 5.2.2 erlaubt es angemeldeten Angreifenden, beliebigen Code auf dem Modem auszuführen. Nutzende mit Zugang zur Weboberfläche, aber ohne jegliche Berechtigungen, haben ebenfalls Zugriff auf die CLI und können hierüber das Modem übernehmen.
https://www.syss.de/pentest-blog/command-injection-via-cli-des-draytek-vigor167-syss-2023-023
Security Advisory - Identity Bypass Vulnerability in Some Huawei Smart Screen Products
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ibvishssp-4bf951d4-en
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/