End-of-Day report
Timeframe: Dienstag 14-02-2023 18:00 - Mittwoch 15-02-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Adobe Patchday: Schadcode-Attacken auf After Effects & Co. möglich
Adobe hat unter anderem für After Effects, InDesign und Photoshop Sicherheitsupdates veröffentlicht.
https://heise.de/-7496102
Bluetooth-Fehler in Android 13 kann Diabetiker gefährden
Ein Fehler in Android 13 kann die Kommunikation zwischen Blutzuckersensor und zugehöriger App stören. Dann warnt die App nicht vor gefährlicher Unterzuckerung.
https://heise.de/-7496644
Angreifer attackieren Microsoft 365 und Windows - Mehrere kritische Lücken
Es sind wichtige Sicherheitsupdates für unter anderem Azure, Exchange Server und Windows erschienen. Mehrere Lücken sind als "kritisch" eingestuft.
https://heise.de/-7496015
Abo-Falle beim Kauf von Handyhüllen auf puffcase-official.com
Wenn Sie auf der Suche nach einer Schutzhülle für Ihr Smartphone sind, nehmen Sie sich vor puffcase-official.com in Acht. Während die -Puffcases- auf den ersten Blick günstig wirken und zu einem schnellen Kauf verleiten, stellt sich die Seite als Abo-Falle heraus. Davon erfahren Sie erst, wenn die neuerliche Abbuchung auf Ihrer Kreditkarte auftaucht. Bestellen Sie hier nicht!
https://www.watchlist-internet.at/news/abo-falle-beim-kauf-von-handyhuellen-auf-puffcase-officialcom/
NPM packages posing as speed testers install crypto miners instead
A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computers resources to mine cryptocurrency for the threat actors.
https://www.bleepingcomputer.com/news/security/npm-packages-posing-as-speed-testers-install-crypto-miners-instead/
Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack
Gone in 60 seconds using a USB-A plug and brute force instead of a key Korean car-makers Hyundai and Kia will issue software updates to some of their models after a method of stealing them circulated on TikTok, leading to many thefts and even some deaths.
https://go.theregister.com/feed/www.theregister.com/2023/02/15/hyundai_kia_software_upgrades/
PYbot DDoS Malware Being Distributed Disguised as a Discord Nitro Code Generator
The ASEC analysis team has recently discovered Pybot DDoS being distributed with illegal software. The program used as bait by the threat actor is a token generator called Nitro Generator. Nitro is a paid Discord service with various benefits which can be seen below in Figure 1. Nitro Generator is a tool that generates codes that can be used for free access to Nitro.
https://asec.ahnlab.com/en/47789/
cURL audit: How a joke led to significant findings
In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. [..] the fuzzer quickly uncovered memory corruption bugs, specifically use-after-free issues, double-free issues, and memory leaks. Because the bugs are in libcurl, a cURL development library, they have the potential to affect the many software applications that use libcurl. This blog post describes how we found the following vulnerabilities
https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/
ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric
Siemens has published 13 new advisories covering a total of 86 vulnerabilities. [..] Schneider Electric has published three advisories covering 10 vulnerabilities.
https://www.securityweek.com/ics-patch-tuesday-100-vulnerabilities-addressed-by-siemens-schneider-electric/
DNS Abuse Techniques Matrix
The FIRST DNS Abuse SIG has been working on a document for some time, which has now finally been published: a matrix of DNS abuse techniques and their stakeholders. Its intended to help people experiencing DNS abuse, particularly incident responders and security teams.
https://www.first.org/global/sigs/dns/DNS-Abuse-Techniques-Matrix_v1.1.pdf
Sustained Activity by Threat Actors
The European Union Agency for Cybersecurity (ENISA) and the CERT of the EU institutions, bodies and agencies (CERT-EU) jointly published a report to alert on sustained activity by particular threat actors. The malicious cyber activities of the presented threat actors pose a significant and ongoing threat to the European Union.
https://www.enisa.europa.eu/news/sustained-activity-by-threat-actors
Abusing Azure App Service Managed Identity Assignments
[...] Managed Identities are great and admins should absolutely use them. But admins also need to understand the risks that come with Managed Identities and how to deal with those risks. In this blog post I will explain those risks, demonstrate how an attacker can abuse App Service Managed Identity assignments, and show you how to identify and deal with those risks yourself.
https://posts.specterops.io/abusing-azure-app-service-managed-identity-assignments-c3adefccff95
Vulnerabilities
AMD: Cross-Thread Return Address Predictions
AMD internally discovered a potential vulnerability where certain AMD processors may speculatively execute instructions at an incorrect return site after an SMT mode switch that may potentially lead to information disclosure. AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges.
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045
HAProxy Security Update (CVE-2023-25725)
A team of security researchers notified me on Thursday evening that they had found a dirty bug in HAProxys headers processing, and that, when properly exploited, this bug allows to build an HTTP content smuggling attack. [..] The issue was fixed in all versions and all modes (HTX and legacy), and all versions were upgraded. [..] Distros were notified (not very long ago admittedly, the delay was quite short for them) and updated packages will appear soon.
https://www.mail-archive.com/haproxy@formilux.org/msg43229.html
Security updates for Wednesday
Security updates have been issued by Debian (gnutls28 and haproxy), Fedora (syslog-ng), Mageia (apr-util, chromium-browser-stable, editorconfig-core-c, ffmpeg, libzen, phpmyadmin, tpm2-tss, and webkit2), Oracle (kernel and kernel-container), Slackware (mozilla and php), SUSE (git, haproxy, kernel, nodejs18, phpMyAdmin, and timescaledb), and Ubuntu (APR-util, git, and haproxy).
https://lwn.net/Articles/923364/
Lenovo Product Security Advisories
* AMI MegaRAC SP-X BMC Redfish Vulnerabilities
* AMI MegaRAC SP-X BMC Vulnerabilities
* Crypto API Toolkit for Intel SGX Advisory
* Intel Ethernet Controllers and Adapters Advisory
* Intel Ethernet VMware Drivers Advisory
* Intel Integrated Sensor Solution Advisory
* Intel Server Platform Services (SPS) Vulnerabilities
* Intel SGX SDK Advisory
* Multi-Vendor BIOS Security Vulnerabilities (February 2023)
https://support.lenovo.com/at/en/product_security/home
Released: February 2023 Exchange Server Security Updates
Microsoft has released Security Updates (SUs) for vulnerabilities found in:Exchange Server 2013Exchange Server 2016Exchange Server 2019SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.SUs are available for the following specific versions of Exchange Server:Exchange Server 2013 CU23 (note that support and availability of SUs end on April 11, 2023)Exchange Server 2016
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february-2023-exchange-server-security-updates/ba-p/3741058
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
XSA-426
https://xenbits.xen.org/xsa/advisory-426.html
Advisory: Impact of Insyde UEFI Boot Issues on B&R Products
https://www.br-automation.com/downloads_br_productcatalogue/assets/1675931547567-en-original-1.0.pdf
ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy
Cisco Nexus Dashboard Cross-Site Scripting Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nexus-dashboard-xss-xc5BcgsQ
Cisco Nexus Dashboard Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndb-dnsdos-bYscZOsu
Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-ubfHG75C
Cisco Email Security Appliance and Cisco Secure Email and Web Manager Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-privesc-9DVkFpJ8
ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-xxe-TcSZduhN