Tageszusammenfassung - 15.02.2023

End-of-Day report

Timeframe: Dienstag 14-02-2023 18:00 - Mittwoch 15-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter

News

Adobe Patchday: Schadcode-Attacken auf After Effects & Co. möglich

Adobe hat unter anderem für After Effects, InDesign und Photoshop Sicherheitsupdates veröffentlicht.

Bluetooth-Fehler in Android 13 kann Diabetiker gefährden

Ein Fehler in Android 13 kann die Kommunikation zwischen Blutzuckersensor und zugehöriger App stören. Dann warnt die App nicht vor gefährlicher Unterzuckerung.

https://heise.de/-7496644

Angreifer attackieren Microsoft 365 und Windows - Mehrere kritische Lücken

Es sind wichtige Sicherheitsupdates für unter anderem Azure, Exchange Server und Windows erschienen. Mehrere Lücken sind als "kritisch" eingestuft.

https://heise.de/-7496015

Abo-Falle beim Kauf von Handyhüllen auf puffcase-official.com

Wenn Sie auf der Suche nach einer Schutzhülle für Ihr Smartphone sind, nehmen Sie sich vor puffcase-official.com in Acht. Während die -Puffcases- auf den ersten Blick günstig wirken und zu einem schnellen Kauf verleiten, stellt sich die Seite als Abo-Falle heraus. Davon erfahren Sie erst, wenn die neuerliche Abbuchung auf Ihrer Kreditkarte auftaucht. Bestellen Sie hier nicht!

https://www.watchlist-internet.at/news/abo-falle-beim-kauf-von-handyhuellen-auf-puffcase-officialcom/

NPM packages posing as speed testers install crypto miners instead

A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computers resources to mine cryptocurrency for the threat actors.

https://www.bleepingcomputer.com/news/security/npm-packages-posing-as-speed-testers-install-crypto-miners-instead/

Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack

Gone in 60 seconds using a USB-A plug and brute force instead of a key Korean car-makers Hyundai and Kia will issue software updates to some of their models after a method of stealing them circulated on TikTok, leading to many thefts and even some deaths.

https://go.theregister.com/feed/www.theregister.com/2023/02/15/hyundai_kia_software_upgrades/

PYbot DDoS Malware Being Distributed Disguised as a Discord Nitro Code Generator

The ASEC analysis team has recently discovered Pybot DDoS being distributed with illegal software. The program used as bait by the threat actor is a token generator called Nitro Generator. Nitro is a paid Discord service with various benefits which can be seen below in Figure 1. Nitro Generator is a tool that generates codes that can be used for free access to Nitro.

https://asec.ahnlab.com/en/47789/

cURL audit: How a joke led to significant findings

In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. [..] the fuzzer quickly uncovered memory corruption bugs, specifically use-after-free issues, double-free issues, and memory leaks. Because the bugs are in libcurl, a cURL development library, they have the potential to affect the many software applications that use libcurl. This blog post describes how we found the following vulnerabilities

https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/

ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric

Siemens has published 13 new advisories covering a total of 86 vulnerabilities. [..] Schneider Electric has published three advisories covering 10 vulnerabilities.

https://www.securityweek.com/ics-patch-tuesday-100-vulnerabilities-addressed-by-siemens-schneider-electric/

DNS Abuse Techniques Matrix

The FIRST DNS Abuse SIG has been working on a document for some time, which has now finally been published: a matrix of DNS abuse techniques and their stakeholders. Its intended to help people experiencing DNS abuse, particularly incident responders and security teams.

https://www.first.org/global/sigs/dns/DNS-Abuse-Techniques-Matrix_v1.1.pdf

Sustained Activity by Threat Actors

The European Union Agency for Cybersecurity (ENISA) and the CERT of the EU institutions, bodies and agencies (CERT-EU) jointly published a report to alert on sustained activity by particular threat actors. The malicious cyber activities of the presented threat actors pose a significant and ongoing threat to the European Union.

https://www.enisa.europa.eu/news/sustained-activity-by-threat-actors

Abusing Azure App Service Managed Identity Assignments

[...] Managed Identities are great and admins should absolutely use them. But admins also need to understand the risks that come with Managed Identities and how to deal with those risks. In this blog post I will explain those risks, demonstrate how an attacker can abuse App Service Managed Identity assignments, and show you how to identify and deal with those risks yourself.

https://posts.specterops.io/abusing-azure-app-service-managed-identity-assignments-c3adefccff95

Vulnerabilities

AMD: Cross-Thread Return Address Predictions

AMD internally discovered a potential vulnerability where certain AMD processors may speculatively execute instructions at an incorrect return site after an SMT mode switch that may potentially lead to information disclosure. AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges.

https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045

HAProxy Security Update (CVE-2023-25725)

A team of security researchers notified me on Thursday evening that they had found a dirty bug in HAProxys headers processing, and that, when properly exploited, this bug allows to build an HTTP content smuggling attack. [..] The issue was fixed in all versions and all modes (HTX and legacy), and all versions were upgraded. [..] Distros were notified (not very long ago admittedly, the delay was quite short for them) and updated packages will appear soon.

https://www.mail-archive.com/haproxy@formilux.org/msg43229.html

Security updates for Wednesday

Security updates have been issued by Debian (gnutls28 and haproxy), Fedora (syslog-ng), Mageia (apr-util, chromium-browser-stable, editorconfig-core-c, ffmpeg, libzen, phpmyadmin, tpm2-tss, and webkit2), Oracle (kernel and kernel-container), Slackware (mozilla and php), SUSE (git, haproxy, kernel, nodejs18, phpMyAdmin, and timescaledb), and Ubuntu (APR-util, git, and haproxy).

https://lwn.net/Articles/923364/

Lenovo Product Security Advisories

* AMI MegaRAC SP-X BMC Redfish Vulnerabilities * AMI MegaRAC SP-X BMC Vulnerabilities * Crypto API Toolkit for Intel SGX Advisory * Intel Ethernet Controllers and Adapters Advisory * Intel Ethernet VMware Drivers Advisory * Intel Integrated Sensor Solution Advisory * Intel Server Platform Services (SPS) Vulnerabilities * Intel SGX SDK Advisory * Multi-Vendor BIOS Security Vulnerabilities (February 2023)

https://support.lenovo.com/at/en/product_security/home

Released: February 2023 Exchange Server Security Updates

Microsoft has released Security Updates (SUs) for vulnerabilities found in:Exchange Server 2013Exchange Server 2016Exchange Server 2019SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.SUs are available for the following specific versions of Exchange Server:Exchange Server 2013 CU23 (note that support and availability of SUs end on April 11, 2023)Exchange Server 2016

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february-2023-exchange-server-security-updates/ba-p/3741058

ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy

Cisco Nexus Dashboard Cross-Site Scripting Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nexus-dashboard-xss-xc5BcgsQ

Cisco Nexus Dashboard Denial of Service Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ndb-dnsdos-bYscZOsu

Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xss-ubfHG75C

Cisco Email Security Appliance and Cisco Secure Email and Web Manager Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-privesc-9DVkFpJ8

ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-xxe-TcSZduhN