End-of-Day report
Timeframe: Mittwoch 19-04-2023 18:00 - Donnerstag 20-04-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Schwachstelle ermöglicht es Dieben, iPhones zu übernehmen
Über eine Sicherheitslücke verschaffen sich Kriminelle Zugang zu den Apple-IDs ihrer Opfer.
https://futurezone.at/produkte/schwachstelle-diebstahl-iphones-uebernehmen-code-wiederherstellung-schluessel-usa/402418847
Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads
hA new Android malware strain named Goldoson has been detected in the official Google Play Store spanning more than 60 legitimate apps that collectively have over 100 million downloads. [..] Following responsible disclosure to Google, 36 of the 63 offending apps have been pulled from the Google Play Store. The remaining 27 apps have been updated to remove the malicious library.
https://thehackernews.com/2023/04/goldoson-android-malware-infects-over.html
The Huge 3CX Breach Was Actually 2 Linked Supply Chain Attacks
The mass compromise of the VoIP firms customers is the first confirmed incident where one software supply chain attack enabled another, researchers say.
https://www.wired.com/story/3cx-supply-chain-attack-times-two/
-AuKill- EDR killer malware abuses Process Explorer driver
The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation - Part 2
In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog post, we will show the other vulnerable functions we were able to exploit.
https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2
Vermehrte Angriffe auf Cisco Router und Switche mit Cisco IOS und IOS-XE
Mehrere Sicherheitsbehörden und Cisco selbst warnen vor der gehäuften Ausnutzung alter Schwachstellen in Cisco IOS und IOS-XE.
https://heise.de/-8973626
Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023)
Last week, there were 69 vulnerabilities disclosed in 60 WordPress plugins and 4 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
https://www.wordfence.com/blog/2023/04/wordfence-intelligence-weekly-wordpress-vulnerability-report-apr-10-2023-to-apr-16-2023/
LockBit-Ransomware bereitet Angriffe auf Apple vor
Hacker haben ihre Malware offenbar weiterentwickelt und eine neue Variante in Umlauf gebracht, die es auf Apple-Computer abgesehen hat.
https://www.zdnet.de/88408574/lockbit-ransomware-bereitet-angriffe-auf-apple-vor/
CISA and Partners Release Cybersecurity Best Practices for Smart Cities
Today, CISA, NSA, FBI, NCSC-UK, ACSC, CCCS and NCSC-NZ released a joint guide: Cybersecurity Best Practices for Smart Cities. Smart cities may create safer, more efficient, resilient communities through technological innovation and data-driven decision making. However, this opportunity also introduces potential vulnerabilities and weaknesses that-if exploited-could impact national security, economic security, public health and safety, and critical infrastructure operations.
https://www.cisa.gov/news-events/alerts/2023/04/19/cisa-and-partners-release-cybersecurity-best-practices-smart-cities
Vulnerabilities
Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005
Security risk: Moderately critical
The file download facility doesnt sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.Some sites may require configuration changes following this security release.
https://www.drupal.org/sa-core-2023-005
Cisco Security Advisories Published on April 19, 2023 - 2 Critical, 2 High, 2 Medium
* StarOS Software Key-Based SSH Authentication Privilege Escalation Vulnerability
* SD-WAN vManage Software Arbitrary File Deletion Vulnerability
* TelePresence Collaboration Endpoint and RoomOS Arbitrary File Write Vulnerabilities
* Industrial Network Director Vulnerabilities
* Modeling Labs External Authentication Bypass Vulnerability
* BroadWorks Network Server TCP Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2023%2F04%2F19&firstPublishedEndDate=2023%2F04%2F19
Mehrere Schadcode-Lücken in Foxit PDF geschlossen
Wer Foxit PDF Reader oder PDF Editor unter Windows nutzt, ist angreifbar.
https://heise.de/-8974063
Stable Channel Update for Desktop
The Stable and extended stable channel has been updated to 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac and 112.0.5615.165 for Linux which will roll out over the coming days/weeks. [..] Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix.
http://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html
Blubrry Addresses Authenticated Stored XSS Vulnerability in PowerPress WordPress Plugin
On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry-s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites.
https://www.wordfence.com/blog/2023/04/blubrry-addresses-authenticated-stored-xss-vulnerability-in-powerpress-wordpress-plugin/
Security updates for Thursday
Security updates have been issued by Debian (golang-1.11), Fedora (chromium, golang-github-cenkalti-backoff, golang-github-cli-crypto, golang-github-cli-gh, golang-github-cli-oauth, golang-github-gabriel-vasile-mimetype, libpcap, lldpd, parcellite, tcpdump, thunderbird, and zchunk), Red Hat (java-11-openjdk, java-17-openjdk, and kernel), SUSE (chromium, dnsmasq, ImageMagick, nodejs16, openssl-1_0_0, openssl1, ovmf, and python-Flask), and Ubuntu (dnsmasq, libxml2, linux, linux-aws, linux-aws-5.4, linux-azure, linu linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15 linux-oracle, linux-raspi2, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and linux-snapdragon).
https://lwn.net/Articles/929671/
Chromium: CVE-2023-2136 Integer overflow in Skia
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2023-2136 exists in the wild.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2136
Spring Boot 2.7.11 available now fixing CVE-2023-20873
https://spring.io/blog/2023/04/20/spring-boot-2-7-11-available-now-fixing-cve-2023-20873
Spring Boot 3.0.6 available now fixing CVE-2023-20873
https://spring.io/blog/2023/04/20/spring-boot-3-0-6-available-now-fixing-cve-2023-20873
Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products.
https://www.ibm.com/support/pages/node/6953617
Unprivileged GPU access vulnerability - CVE-2013-5987
https://www.ibm.com/support/pages/node/864038
Multiple vulnerabilities found in third party libraries used by IBM\u00ae MobileFirst Platform
https://www.ibm.com/support/pages/node/6984763
Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server used by IBM Maximo Application Suite
https://www.ibm.com/support/pages/node/6984785
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js npm module information disclosure (CVE-2022-29244)
https://www.ibm.com/support/pages/node/6984799
IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998)
https://www.ibm.com/support/pages/node/6984945
Unprivileged GPU access vulnerability - CVE-2013-5987
https://www.ibm.com/support/pages/node/864038
IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403)
https://www.ibm.com/support/pages/node/6984957
IBM Security Verify Governance is vulnerable to denial of service and security bypass (CVE-2018-10237, CVE-2020-8908)
https://www.ibm.com/support/pages/node/6984959
IBM Security Verify Governance is vulnerable to a denial of service (CVE-2022-42004, CVE-2022-42003)
https://www.ibm.com/support/pages/node/6984967
IBM Security Verify Governance is vulnerable to sensitive information exposure and denial of service (CVE-2021-31403, CVE-2021-33609)
https://www.ibm.com/support/pages/node/6984971
IBM Security Verify Governance is vulnerable to denial of service (CVE-2022-24839)
https://www.ibm.com/support/pages/node/6984973
IBM Security Verify Governance is vulnerable to arbitrary code execution (CVE-2020-10650)
https://www.ibm.com/support/pages/node/6984963
IBM Security Verify Governance is vulnerable to denial of service ( CVE-2023-24998)
https://www.ibm.com/support/pages/node/6984969
Security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2023-24998)
https://www.ibm.com/support/pages/node/6984965
IBM Rational Build Forge is vulnerable and could allow an unauthenticated attacker to obtain sensitive information due to the use of JSSE component (CVE-2021-35603)
https://www.ibm.com/support/pages/node/6984975
IBM App Connect Enterprise is vulnerable to a denial of service due to the ua-parser-js module (CVE-2022-25927)
https://www.ibm.com/support/pages/node/6984987
Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition
https://www.ibm.com/support/pages/node/6839127
Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition
https://www.ibm.com/support/pages/node/6967213
CVE-2022-3676 may affect IBM\u00ae SDK, Java\u2122 Technology Edition
https://www.ibm.com/support/pages/node/6839777
IBM Rational Build Forge is vulnerable and could allow attacker to obtain sensitive information due to the use of JSSE component(CVE-2021-35550)
https://www.ibm.com/support/pages/node/6985007
CVE-2023-30441 affects IBM\u00ae SDK, Java\u2122 Technology Edition
https://www.ibm.com/support/pages/node/6985011
AIX is vulnerable to arbitrary command execution (CVE-2023-26286)
https://www.ibm.com/support/pages/node/6983236
INEA ME RTU
https://www.cisa.gov/news-events/ics-advisories/icsa-23-110-01