Tageszusammenfassung - 14.02.2023

End-of-Day report

Timeframe: Montag 13-02-2023 18:00 - Dienstag 14-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a

News

New stealthy Beep malware focuses heavily on evading detection

A new stealthy malware named Beep was discovered last week, featuring many features to evade analysis and detection by security software.

https://www.bleepingcomputer.com/news/security/new-stealthy-beep-malware-focuses-heavily-on-evading-detection/


Exploiting a remote heap overflow with a custom TCP stack

In November 2021 our team took part in the ZDI Pwn2Own Austin 2021 competition with multiple entries. One of them successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it.

https://www.synacktiv.com/publications/exploiting-a-remote-heap-overflow-with-a-custom-tcp-stack.html


Securing Open-Source Solutions: A Study of osTicket Vulnerabilities

One of the applications assessed was osTicket, an open-source ticketing system. With distinctive features and plugins, osTicket gives users the ability to -Manage, organize, and archive all your support requests and responses (...).- During our assessment, the Checkmarx Labs team found some interesting vulnerabilities. In this blog/report, not only will we disclose some of the identified vulnerabilities but also elaborate on the team-s approach to identifying them.

https://checkmarx.com/blog/securing-open-source-solutions-a-study-of-osticket-vulnerabilities/


Amazon: Vorsicht vor Fake-Anrufen

Aktuell geben sich Kriminelle als Mitarbeiter:innen von Amazon aus und täuschen ein Problem mit Ihrer Bestellung vor. Sie werden aufgefordert Zahlungsdaten zu übermitteln, Zahlungen freizugeben und eine Wartungssoftware wie TeamViewer zu installieren. Legen Sie auf und blockieren Sie die Nummer.

https://www.watchlist-internet.at/news/amazon-vorsicht-vor-fake-anrufen/


A Deep Dive into Reversing CODESYS

This white paper offers a technical deep dive into PLC protocols and how to safely scan CODESYS-based ICS networking stacks.

https://www.rapid7.com/blog/post/2023/02/14/a-deep-dive-into-reversing-codesys/


Typosquatting: Legit Abquery Package Duped with Malicious Aabquerys

Aabquerys use the typosquatting technique to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery.

https://www.hackread.com/typosquatting-abquery-package-aabquerys/


Vulnerabilities

Serious Security: GnuTLS follows OpenSSL, fixes timing attack bug

Conditional code considered cryptographically counterproductive.

https://nakedsecurity.sophos.com/2023/02/13/serious-security-gnutls-follows-openssl-fixes-timing-attack-bug/


Patch Now: Apples iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw

Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild.Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution.

https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html


Patchday: SAP schützt seine Software vor möglichen Attacken

Es sind unter anderem für SAP BusinessObjects und SAP Start Service wichtige Sicherheitsupdates erschienen.

https://heise.de/-7494856


Bestimmte auf HP-Computern vorinstallierte Windows-10-Versionen sind verwundbar

Wer einen PC von HP mit einer älteren Windows-10-Ausgabe nutzt, sollte einen Sicherheitspatch installieren.

https://heise.de/-7494955


Security updates for Tuesday

Security updates have been issued by Debian (imagemagick), Fedora (xml-security-c), Red Hat (grub2), SUSE (chromium, freerdp, libbpf, and python-setuptools), and Ubuntu (fig2dev and python-django).

https://lwn.net/Articles/923267/


Citrix Virtual Apps and Desktops Security Bulletin for CVE-2023-24483

A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA. CVE-2023-24483

https://support.citrix.com/article/CTX477616/citrix-virtual-apps-and-desktops-security-bulletin-for-cve202324483


Citrix Workspace app for Windows Security Bulletin for CVE-2023-24484 & CVE-2023-24485

A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA. CVE-2023-24484 & CVE-2023-24485

https://support.citrix.com/article/CTX477617/citrix-workspace-app-for-windows-security-bulletin-for-cve202324484-cve202324485


Citrix Workspace app for Linux Security Bulletin for CVE-2023-24486

A vulnerability has been identified in Citrix Workspace app for Linux that, if exploited, may result in a malicious local user being able to gain access to the Citrix Virtual Apps and Desktops session of another user who is using the same computer from which the ICA session is launched. CVE-2023-24486

https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux-security-bulletin-for-cve202324486


SonicWall Email Security Information Discloser Vulnerability

SonicWall Email Security contains a vulnerability that could permit a remote unauthenticated attacker access to an error page that includes sensitive information about users email addresses. CVE: CVE-2023-0655

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0002


The installers of ELECOM Camera Assistant and QuickFileDealer may insecurely load Dynamic Link Libraries

The installers of ELECOM Camera Assistant and QuickFileDealer provided by ELECOM CO.,LTD. may insecurely load Dynamic Link Libraries.

https://jvn.jp/en/jp/JVN60263237/


Improper restriction of XML external entity reference (XXE) vulnerability in tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools

tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability.

https://jvn.jp/en/jp/JVN00712821/


101news By Mayuri K 1.0 SQL Injection

https://cxsecurity.com/issue/WLB-2023020025


Developed by Ameya Computers LOGIN SQL INJECT-ON

https://cxsecurity.com/issue/WLB-2023020024


SSA-953464 V1.0: Multiple Vulnerabilites in Siemens Brownfield Connectivity - Client before V2.15

https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf


SSA-847261 V1.0: Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation

https://cert-portal.siemens.com/productcert/pdf/ssa-847261.pdf


SSA-836777 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Parasolid

https://cert-portal.siemens.com/productcert/pdf/ssa-836777.pdf


SSA-744259 V1.0: Golang Vulnerabilities in Brownfield Connectivity - Gateway before V1.10.1

https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf


SSA-693110 V1.0: Buffer Overflow Vulnerability in COMOS

https://cert-portal.siemens.com/productcert/pdf/ssa-693110.pdf


SSA-686975 V1.0: IPU 2022.3 Vulnerabilities in Siemens Industrial Products using Intel CPUs

https://cert-portal.siemens.com/productcert/pdf/ssa-686975.pdf


SSA-658793 V1.0: Command Injection Vulnerability in SiPass integrated AC5102 / ACC-G2 and ACC-AP

https://cert-portal.siemens.com/productcert/pdf/ssa-658793.pdf


SSA-640968 V1.0: Untrusted Search Path Vulnerability in TIA Project-Server formerly known as TIA Multiuser Server

https://cert-portal.siemens.com/productcert/pdf/ssa-640968.pdf


SSA-617755 V1.0: Denial of Service Vulnerability in the SNMP Agent of SCALANCE X-200IRT Products

https://cert-portal.siemens.com/productcert/pdf/ssa-617755.pdf


SSA-565356 V1.0: X_T File Parsing Vulnerabilities in Simcenter Femap before V2023.1

https://cert-portal.siemens.com/productcert/pdf/ssa-565356.pdf


SSA-491245 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge

https://cert-portal.siemens.com/productcert/pdf/ssa-491245.pdf


SSA-450613 V1.0: Insyde BIOS Vulnerabilities in RUGGEDCOM APE1808 Product Family

https://cert-portal.siemens.com/productcert/pdf/ssa-450613.pdf


SSA-252808 V1.0: XPath Constraint Vulnerability in Mendix Runtime

https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf


PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware

https://cert.vde.com/de/advisories/VDE-2023-001/


Weintek EasyBuilder Pro cMT Series

https://us-cert.cisa.gov/ics/advisories/icsa-23-045-01


Advisory: Reflected Cross-Site Scripting Vulnerabitities in SDM

https://www.br-automation.com/downloads_br_productcatalogue/assets/1675607299099-en-original-1.0.pdf


IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to Apache Commons Text [CVE-2022-42889]

https://www.ibm.com/support/pages/node/6955251


IBM App Connect Enterprise Certified Container operands may be vulnerable to security restrictions bypass due to [CVE-2021-25743]

https://www.ibm.com/support/pages/node/6955255


IBM Sterling Control Center is vulnerable to a denial of service due to Jave SE (CVE-2022-21626)

https://www.ibm.com/support/pages/node/6955277


IBM Sterling Control Center is vulnerable to security bypass due to Eclipse Openj9 (CVE-2022-3676)

https://www.ibm.com/support/pages/node/6955281


CVE-2022-21624 may affect IBM\u00ae SDK, Java\u2122 Technology Edition for Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint

https://www.ibm.com/support/pages/node/6955493


CVE-2022-3676 may affect Eclipse Openj9 used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint

https://www.ibm.com/support/pages/node/6955497


IBM QRadar SIEM is vulnerable to possible information disclosure [CVE-2023-22875]

https://www.ibm.com/support/pages/node/6855643