End-of-Day report
Timeframe: Montag 13-02-2023 18:00 - Dienstag 14-02-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
New stealthy Beep malware focuses heavily on evading detection
A new stealthy malware named Beep was discovered last week, featuring many features to evade analysis and detection by security software.
https://www.bleepingcomputer.com/news/security/new-stealthy-beep-malware-focuses-heavily-on-evading-detection/
Exploiting a remote heap overflow with a custom TCP stack
In November 2021 our team took part in the ZDI Pwn2Own Austin 2021 competition with multiple entries. One of them successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it.
https://www.synacktiv.com/publications/exploiting-a-remote-heap-overflow-with-a-custom-tcp-stack.html
Securing Open-Source Solutions: A Study of osTicket Vulnerabilities
One of the applications assessed was osTicket, an open-source ticketing system. With distinctive features and plugins, osTicket gives users the ability to -Manage, organize, and archive all your support requests and responses (...).- During our assessment, the Checkmarx Labs team found some interesting vulnerabilities. In this blog/report, not only will we disclose some of the identified vulnerabilities but also elaborate on the team-s approach to identifying them.
https://checkmarx.com/blog/securing-open-source-solutions-a-study-of-osticket-vulnerabilities/
Amazon: Vorsicht vor Fake-Anrufen
Aktuell geben sich Kriminelle als Mitarbeiter:innen von Amazon aus und täuschen ein Problem mit Ihrer Bestellung vor. Sie werden aufgefordert Zahlungsdaten zu übermitteln, Zahlungen freizugeben und eine Wartungssoftware wie TeamViewer zu installieren. Legen Sie auf und blockieren Sie die Nummer.
https://www.watchlist-internet.at/news/amazon-vorsicht-vor-fake-anrufen/
A Deep Dive into Reversing CODESYS
This white paper offers a technical deep dive into PLC protocols and how to safely scan CODESYS-based ICS networking stacks.
https://www.rapid7.com/blog/post/2023/02/14/a-deep-dive-into-reversing-codesys/
Typosquatting: Legit Abquery Package Duped with Malicious Aabquerys
Aabquerys use the typosquatting technique to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery.
https://www.hackread.com/typosquatting-abquery-package-aabquerys/
Vulnerabilities
Serious Security: GnuTLS follows OpenSSL, fixes timing attack bug
Conditional code considered cryptographically counterproductive.
https://nakedsecurity.sophos.com/2023/02/13/serious-security-gnutls-follows-openssl-fixes-timing-attack-bug/
Patch Now: Apples iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw
Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild.Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution.
https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html
Patchday: SAP schützt seine Software vor möglichen Attacken
Es sind unter anderem für SAP BusinessObjects und SAP Start Service wichtige Sicherheitsupdates erschienen.
https://heise.de/-7494856
Bestimmte auf HP-Computern vorinstallierte Windows-10-Versionen sind verwundbar
Wer einen PC von HP mit einer älteren Windows-10-Ausgabe nutzt, sollte einen Sicherheitspatch installieren.
https://heise.de/-7494955
Security updates for Tuesday
Security updates have been issued by Debian (imagemagick), Fedora (xml-security-c), Red Hat (grub2), SUSE (chromium, freerdp, libbpf, and python-setuptools), and Ubuntu (fig2dev and python-django).
https://lwn.net/Articles/923267/
Citrix Virtual Apps and Desktops Security Bulletin for CVE-2023-24483
A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA.
CVE-2023-24483
https://support.citrix.com/article/CTX477616/citrix-virtual-apps-and-desktops-security-bulletin-for-cve202324483
Citrix Workspace app for Windows Security Bulletin for CVE-2023-24484 & CVE-2023-24485
A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA.
CVE-2023-24484 & CVE-2023-24485
https://support.citrix.com/article/CTX477617/citrix-workspace-app-for-windows-security-bulletin-for-cve202324484-cve202324485
Citrix Workspace app for Linux Security Bulletin for CVE-2023-24486
A vulnerability has been identified in Citrix Workspace app for Linux that, if exploited, may result in a malicious local user being able to gain access to the Citrix Virtual Apps and Desktops session of another user who is using the same computer from which the ICA session is launched.
CVE-2023-24486
https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux-security-bulletin-for-cve202324486
SonicWall Email Security Information Discloser Vulnerability
SonicWall Email Security contains a vulnerability that could permit a remote unauthenticated attacker access to an error page that includes sensitive information about users email addresses.
CVE: CVE-2023-0655
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0002
The installers of ELECOM Camera Assistant and QuickFileDealer may insecurely load Dynamic Link Libraries
The installers of ELECOM Camera Assistant and QuickFileDealer provided by ELECOM CO.,LTD. may insecurely load Dynamic Link Libraries.
https://jvn.jp/en/jp/JVN60263237/
Improper restriction of XML external entity reference (XXE) vulnerability in tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools
tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability.
https://jvn.jp/en/jp/JVN00712821/
101news By Mayuri K 1.0 SQL Injection
https://cxsecurity.com/issue/WLB-2023020025
Developed by Ameya Computers LOGIN SQL INJECT-ON
https://cxsecurity.com/issue/WLB-2023020024
SSA-953464 V1.0: Multiple Vulnerabilites in Siemens Brownfield Connectivity - Client before V2.15
https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
SSA-847261 V1.0: Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation
https://cert-portal.siemens.com/productcert/pdf/ssa-847261.pdf
SSA-836777 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Parasolid
https://cert-portal.siemens.com/productcert/pdf/ssa-836777.pdf
SSA-744259 V1.0: Golang Vulnerabilities in Brownfield Connectivity - Gateway before V1.10.1
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
SSA-693110 V1.0: Buffer Overflow Vulnerability in COMOS
https://cert-portal.siemens.com/productcert/pdf/ssa-693110.pdf
SSA-686975 V1.0: IPU 2022.3 Vulnerabilities in Siemens Industrial Products using Intel CPUs
https://cert-portal.siemens.com/productcert/pdf/ssa-686975.pdf
SSA-658793 V1.0: Command Injection Vulnerability in SiPass integrated AC5102 / ACC-G2 and ACC-AP
https://cert-portal.siemens.com/productcert/pdf/ssa-658793.pdf
SSA-640968 V1.0: Untrusted Search Path Vulnerability in TIA Project-Server formerly known as TIA Multiuser Server
https://cert-portal.siemens.com/productcert/pdf/ssa-640968.pdf
SSA-617755 V1.0: Denial of Service Vulnerability in the SNMP Agent of SCALANCE X-200IRT Products
https://cert-portal.siemens.com/productcert/pdf/ssa-617755.pdf
SSA-565356 V1.0: X_T File Parsing Vulnerabilities in Simcenter Femap before V2023.1
https://cert-portal.siemens.com/productcert/pdf/ssa-565356.pdf
SSA-491245 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge
https://cert-portal.siemens.com/productcert/pdf/ssa-491245.pdf
SSA-450613 V1.0: Insyde BIOS Vulnerabilities in RUGGEDCOM APE1808 Product Family
https://cert-portal.siemens.com/productcert/pdf/ssa-450613.pdf
SSA-252808 V1.0: XPath Constraint Vulnerability in Mendix Runtime
https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf
PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware
https://cert.vde.com/de/advisories/VDE-2023-001/
Weintek EasyBuilder Pro cMT Series
https://us-cert.cisa.gov/ics/advisories/icsa-23-045-01
Advisory: Reflected Cross-Site Scripting Vulnerabitities in SDM
https://www.br-automation.com/downloads_br_productcatalogue/assets/1675607299099-en-original-1.0.pdf
IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to Apache Commons Text [CVE-2022-42889]
https://www.ibm.com/support/pages/node/6955251
IBM App Connect Enterprise Certified Container operands may be vulnerable to security restrictions bypass due to [CVE-2021-25743]
https://www.ibm.com/support/pages/node/6955255
IBM Sterling Control Center is vulnerable to a denial of service due to Jave SE (CVE-2022-21626)
https://www.ibm.com/support/pages/node/6955277
IBM Sterling Control Center is vulnerable to security bypass due to Eclipse Openj9 (CVE-2022-3676)
https://www.ibm.com/support/pages/node/6955281
CVE-2022-21624 may affect IBM\u00ae SDK, Java\u2122 Technology Edition for Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint
https://www.ibm.com/support/pages/node/6955493
CVE-2022-3676 may affect Eclipse Openj9 used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint
https://www.ibm.com/support/pages/node/6955497
IBM QRadar SIEM is vulnerable to possible information disclosure [CVE-2023-22875]
https://www.ibm.com/support/pages/node/6855643