End-of-Day report
Timeframe: Dienstag 18-04-2023 18:00 - Mittwoch 19-04-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
News
Critical Patch Update: Oracle kümmert sich um 433 Sicherheitslücken
Der Softwarehersteller Oracle hat für seine Anwendungen zahlreiche Sicherheitsupdates veröffentlicht. Einige Lücken gelten als kritisch.
https://heise.de/-8971485
Sicherheitsupdates: Dell sichert seit 2022 verwundbare Laptops erst jetzt ab
BIOS-Updates für unter anderem Dell-Modelle der Alienware- und Inspiron-Serien schließen zwei Sicherheitslücken.
https://heise.de/-8971821
Wenn alte Router Firmengeheimnisse preisgeben
Bei der Stilllegung ihrer alten Hardware schütten viele Unternehmen das Kind mit dem Bade aus.
https://www.welivesecurity.com/deutsch/2023/04/18/wenn-alte-router-firmengeheimnisse-preisgeben/
Hackers actively exploit critical RCE bug in PaperCut servers
Print management software developer PaperCut is warning customers to update their software immediately, as hackers are actively exploiting flaws to gain access to vulnerable servers.
https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-critical-rce-bug-in-papercut-servers/
Zaraza Bot Targets Google Chrome to Extract Login Credentials
The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers.
https://www.darkreading.com/remote-workforce/zaraza-bot-targets-google-chrome-extract-login-credentials
SecurePwn Part 1: Bypassing SecurePoint UTM-s Authentication (CVE-2023-22620)
While working on a recent customer penetration test, I discovered two fascinating and somewhat weird bugs in SecurePoint-s UTM firewall solution. The first one, aka CVE-2023-22620, is rated critical for an attacker to bypass the entire authentication and gain access to the firewall-s administrative panel. [...] The second one, aka CVE-2023-22897 is a heartbleed-like bug that allows the leaking of remote memory contents and is discussed in a second blog post.
https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-utms-authentication-cve-2023-22620/
SecurePwn Part 2: Leaking Remote Memory Contents (CVE-2023-22897)
While my last finding affecting SecurePoint-s UTM was quite interesting already, I was hit by a really hard OpenSSL Heartbleed flashback with this one. [...] I-ve responsibly coordinated both vulnerabilities with the vendor SecurePoint and notified them about both issues on 5th January 2023. They did an amazing job acknowledging the vulnerability and providing a fix within a single business day. I barely see (hardware) vendors reacting so fast. Well done!
https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-contents-cve-2023-22897/
Threat Actors Rapidly Adopt Web3 IPFS Technology
Web3 technologies are seeing widespread adoption - including by TAs. We discuss Web3 technology InterPlanetary File System (IPFS), and malicious use of it.
https://unit42.paloaltonetworks.com/ipfs-used-maliciously/
Play Ransomware Group Using New Custom Data-Gathering Tools
Tools allow attackers to harvest data typically locked by the operating system.
https://symantec-enterprise-blogs.security.com/threat-intelligence/play-ransomware-volume-shadow-copy
Raspberry Robin: Anti-Evasion How-To & Exploit Analysis
During the last year, Raspberry Robin has evolved to be one of the most distributed malware currently active. During this time, it is likely to be used by many actors to distribute their own malware such as IcedID, Clop ransomware and more.
https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/
Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation - Part 2
In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog [...]
https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2
DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks
NoName057(16) is still conducting DDoS attacks on the websites of institutions and companies in European countries. The new Go variant of bots implemented an authentication mechanism to communicate with C2 servers and their proxies. Moreover, the mechanism also provides IP address blocklisting, presumably to hinder the tracking of the project.
https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-trying-to-improve-the-efficiency-of-ddos-attacks/
Vulnerabilities
Webbrowser: Neue Zero-Day-Lücke in Google Chrome
Im Webbrowser Chrome greifen Cyberkriminelle eine neue Zero-Day-Lücke in freier Wildbahn an. Google verteilt Software-Updates, um die Lücke zu schließen.
https://heise.de/-8971427
Security updates for Wednesday
Security updates have been issued by Debian (asterisk), Fedora (lldpd and openssh), Red Hat (curl, kernel, and openvswitch2.13), SUSE (compat-openssl098, glib2, grafana, helm, libgit2, openssl, and openssl-1_1), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and vim).
https://lwn.net/Articles/929533/
Research by Positive Technologies helps to fix vulnerabilities in Nokia NetAct network management system
Nokia has fixed five vulnerabilities in Nokia NetAct found by Positive Technologies experts Vladimir Razov and Alexander Ustinov. Nokia NetAct is used by more than 500 communications service providers to monitor and control telecommunication networks, base stations, and other systems. The vendor was notified of the threat as part of standard responsible disclosure and has fixed the vulnerabilities in new versions of the software.
https://www.ptsecurity.com/ww-en/about/news/research-by-positive-technologies-helps-to-fix-vulnerabilities-in-nokia-netact-network-management-system
WordPress plugin "LIQUID SPEECH BALLOON- vulnerable to cross-site request forgery
https://jvn.jp/en/jp/JVN99657911/
Oracle Critical Patch Update Advisory - April 2023
https://www.oracle.com/security-alerts/cpuapr2023.html
K000133390 : Apache Tomcat vulnerability CVE-2022-45143
https://my.f5.com/manage/s/article/K000133390
K000133547 : Python urllib3 vulnerability CVE-2020-26137
https://my.f5.com/manage/s/article/K000133547
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/