Tageszusammenfassung - 07.02.2023

End-of-Day report

Timeframe: Montag 06-02-2023 18:00 - Dienstag 07-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a

News

Researcher breaches Toyota supplier portal with info on 14,000 partners

The issues were responsibly disclosed to Toyota on November 3, 2022, and the Japanese car maker confirmed they had been fixed by November 23, 2022. EatonWorks published a detailed writeup about the discoveries today after 90 days disclosure process had passed.

https://www.bleepingcomputer.com/news/security/researcher-breaches-toyota-supplier-portal-with-info-on-14-000-partners/

APIs Used by Bots to Detect Public IP address, (Mon, Feb 6th)

Many of the bots I am observing attempt to detect the infected system&#;x26;#;39;s public ("WAN") IP address. Most of these systems are assumed to be behind NAT. To detect the external IP address, these bots use various public APIs. It may be helpful to detect these requests. Many use unique host names. This will make detecting the request in DNS logs easy even if TLS is not intercepted.

https://isc.sans.edu/diary/rss/29516

Android Security Bulletin-February 2023

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. [..] The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed.

https://source.android.com/docs/security/bulletin/2023-02-01

Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console

AWS applies a rate limit to authentication requests made to the AWS Console, in an effort to prevent brute-force and credential stuffing attacks. In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed us to partially bypass this rate limit and continuously attempt more than 280 passwords per minute (4.6 per second). The weakness was since mitigated by AWS.

https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass/

Smishing: Vorsicht vor Fake Magenta-SMS

Momentan sind vermehrt gefälschte Magenta-SMS im Umlauf. In der Nachricht wird behauptet, dass Ihre Rechnung nicht beglichen werden konnte. Klicken Sie nicht auf den Link - dieser führt zu einer gefälschten Magenta-Seite, wo Kriminelle Ihre Daten und Ihr Geld stehlen.

https://www.watchlist-internet.at/news/smishing-vorsicht-vor-diesem-fake-magenta-sms/

Saferinternet.at-Studie: Jugendliche und Falschinformationen im Internet

Anlässlich des heutigen Safer Internet Day führte Saferinternet.at eine Studie zum Thema -Jugendliche und Falschinformationen im Internet- durch. Die Studienergebnisse zeigen, dass Österreichs Jugendliche beim Umgang mit Informationen im Internet in einem Dilemma stecken: Die Jugendlichen informieren sich zu Alltagsthemen vor allem über soziale Medien, vertrauen den dort bezogenen Informationen jedoch kaum.

https://www.watchlist-internet.at/news/studie-jugendliche-und-falschinformationen-im-internet/

Safer Internet Day: FAQ Internetsicherheit für Kinder und Jugendliche

Im Internet lauern für Heranwachsende viele Gefahren, die sie noch nicht einschätzen können. Mit Wissensvermittlung und Tools können sie geschützt werden.

https://heise.de/-7333482

This notorious ransomware has now found a new target

The authors of Clop ransomware are experimenting with a Linux variant - a warning that multiple different platforms are in the sights of cyber extortionists.

https://www.zdnet.com/article/this-notorious-ransomware-is-now-targeting-linux-systems-too/#ftag=RSSbaffb68

Vulnerabilities

ZDI-23-094: Netatalk dsi_writeinit Heap-based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.

http://www.zerodayinitiative.com/advisories/ZDI-23-094/

TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering

Subcomponent: Frontend Rendering (ext:frontend, ext:core) Affected Versions: 8.7.0-8.7.50, 9.0.0-9.5.39, 10.0.0-10.4.34, 11.0.0-11.5.22, 12.0.0-12.1.3 Severity: High References: CVE-2023-24814, CWE-79

https://typo3.org/security/advisory/typo3-core-sa-2023-001

Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419)

Through the course of routine security testing and analysis, Rapid7 has discovered several issues in on-premises installations of open source and freemium Document Management System (DMS) offerings from four vendors. ONLYOFFICE, OpenKM, LogicalDOC, Mayan [..] Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach

https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412-through-cve-20222-47419/

OpenSSL Security Advisory [7th February 2023]

* Severity: High - X.400 address type confusion in X.509 GeneralName (CVE-2023-0286): [...] this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. * Severity: Moderate - CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401

https://www.openssl.org/news/secadv/20230207.txt

Dateiübertragungslösung: Zero-Day-Lücke in GoAnywhere-MFT-Servern

Angreifer haben es derzeit auf Server mit GoAnywhere MFT abgesehen. Bislang gibt es kein Sicherheitsupdate. Eine temporäre Übergangslösung sichert Systeme ab.

https://heise.de/-7487393

VMSA-2023-0003

CVSSv3 Range: 7.8 CVE(s): CVE-2023-20854 Synopsis: VMware Workstation update addresses an arbitrary file deletion vulnerability (CVE-2023-20854)

https://www.vmware.com/security/advisories/VMSA-2023-0003.html

Security updates for Tuesday

Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux).

https://lwn.net/Articles/922519/

IBM Security Verify Governance, Identity Manager software component is affected by a vulnerabilitiy CVE-2023-23477

https://www.ibm.com/support/pages/node/6953461

Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU

https://www.ibm.com/support/pages/node/6839565

A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-23477)

https://www.ibm.com/support/pages/node/6953483

A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2023-23477)

https://www.ibm.com/support/pages/node/6953497

Denial of Service vulnerability affects IBM Business Automation Workflow - CVE-2022-25887

https://www.ibm.com/support/pages/node/6952745

A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2023-23477)

https://www.ibm.com/support/pages/node/6953497

Apache POI is vulnerable to a denial of service, caused by an out of memory exception flaw in the HMEF package(CVE-2022-26336)

https://www.ibm.com/support/pages/node/6953525

Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619)

https://www.ibm.com/support/pages/node/6953557

Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619)

https://www.ibm.com/support/pages/node/6953559

IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to bypassing security restrictions, denial of service attacks, and data integrity impacts due to multiple vulnerabilities.

https://www.ibm.com/support/pages/node/6953579

IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626)

https://www.ibm.com/support/pages/node/6953583

IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003)

https://www.ibm.com/support/pages/node/6953587

IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004)

https://www.ibm.com/support/pages/node/6953589