Tageszusammenfassung - 10.02.2023

End-of-Day report

Timeframe: Donnerstag 09-02-2023 18:00 - Freitag 10-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter


Obfuscated Deactivation of Script Block Logging, (Fri, Feb 10th)

PowerShell has a great built-in feature called "Script Block Logging"[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That's the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one.


Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign

Late last year we reported on a malware campaign targeting thousands of WordPress websites to redirect visitors to bogus Q&A websites. The sites themselves contained very little useful information to a regular visitor, but - more importantly - also contained Google Adsense advertisements. It appeared to be an attempt to artificially pump ad views to generate revenue. Since September, our SiteCheck remote scanner has detected this campaign on 10,890 infected sites.


Cracking the Odd Case of Randomness in Java

During a recent white-box assessment, we came across the use of RandomStringUtils.randomAlphanumeric being used in a security sensitive context. We knew it used Java-s weak java.util.Random class but were interested in seeing how practically exploitable it actually was, so we decided to dig into it and see how it worked under the hood.


What are the writable shares in this big domain?

RSMBI is a python tool that answers to the question: What are the writable shares in this big domain? RSMBI connect to each target and it mounts the available shares in the /tmp folder (but that can also be changed). Once the shares are successfully mounted the threads (or the solo one) would start (os.)walking recursively all the folders, trying get a file handle with writing rights.


0Day Avalanche Blockchain API DoS

This is a remote API DoS/crash that should OOM chain P and render a vulnerable node mostly or entirely useless.


Fake-Spendenaufrufe: Kriminelle missbrauchen Erdbebenkatastrophe

Das Erdbeben in der Türkei und in Nordsyrien löste eine Welle der Hilfsbereitschaft aus. Es gibt zahlreiche Möglichkeiten, um Überlebende finanziell zu unterstützen. Kriminelle missbrauchen die humanitäre Krise und versuchen auf verschiedenen Wegen die Solidarität durch Fake-Spendenaufrufe auszunutzen.



CKSource CKEditor5 35.4.0 Cross Site Scripting

CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor failsto sanitize user provided data.


Security updates for Friday

Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift).


Statement About the DoS Vulnerability in the E5573Cs-322


Multiple vulnerabilities in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619)


Vulnerabilities in IBM Semeru Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619, CVE-2022-3676)


Vulnerability in IBM Java Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-3676)


Vulnerability in IBM Java (CVE-2022-3676) affects Power HMC


Vulnerability in IBM Java (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624 and CVE-2022-21619) affects Power HMC


Vulnerability in Firefox (CVE-2022-43926) affects Power HMC


A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-23477)


IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to arbitrary code execution due to [CVE-2022-45907]


Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway.


CVE-2022-3676 may affect IBM TXSeries for Multiplatforms


IBM MQ Appliance is vulnerable to identity spoofing (CVE-2022-22476)


IBM MQ Appliance is affected by kernel vulnerabilities (CVE-2021-45485, CVE-2021-45486 and CVE-2022-1012)


IBM MQ Appliance is vulnerable to HTTP header injection (CVE-2022-34165)


IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750)


IBM MQ Appliance is vulnerable to improper session invalidation (CVE-2022-40230)


IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775)


IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744)


IBM Sterling Connect:Direct for UNIX is vulnerable to denial of servce due to IBM Java (CVE-2022-21626)


A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM\/GKLM) (CVE-2023-23477)