Tageszusammenfassung - 20.04.2023

End-of-Day report

Timeframe: Mittwoch 19-04-2023 18:00 - Donnerstag 20-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a

News

Schwachstelle ermöglicht es Dieben, iPhones zu übernehmen

Über eine Sicherheitslücke verschaffen sich Kriminelle Zugang zu den Apple-IDs ihrer Opfer.

https://futurezone.at/produkte/schwachstelle-diebstahl-iphones-uebernehmen-code-wiederherstellung-schluessel-usa/402418847


Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads

hA new Android malware strain named Goldoson has been detected in the official Google Play Store spanning more than 60 legitimate apps that collectively have over 100 million downloads. [..] Following responsible disclosure to Google, 36 of the 63 offending apps have been pulled from the Google Play Store. The remaining 27 apps have been updated to remove the malicious library.

https://thehackernews.com/2023/04/goldoson-android-malware-infects-over.html


The Huge 3CX Breach Was Actually 2 Linked Supply Chain Attacks

The mass compromise of the VoIP firms customers is the first confirmed incident where one software supply chain attack enabled another, researchers say.

https://www.wired.com/story/3cx-supply-chain-attack-times-two/


-AuKill- EDR killer malware abuses Process Explorer driver

The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.

https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/


Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation - Part 2

In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog post, we will show the other vulnerable functions we were able to exploit.

https://www.cyberark.com/resources/threat-research-blog/breaking-docker-named-pipes-systematically-docker-desktop-privilege-escalation-part-2


Vermehrte Angriffe auf Cisco Router und Switche mit Cisco IOS und IOS-XE

Mehrere Sicherheitsbehörden und Cisco selbst warnen vor der gehäuften Ausnutzung alter Schwachstellen in Cisco IOS und IOS-XE.

https://heise.de/-8973626


Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023)

Last week, there were 69 vulnerabilities disclosed in 60 WordPress plugins and 4 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

https://www.wordfence.com/blog/2023/04/wordfence-intelligence-weekly-wordpress-vulnerability-report-apr-10-2023-to-apr-16-2023/


LockBit-Ransomware bereitet Angriffe auf Apple vor

Hacker haben ihre Malware offenbar weiterentwickelt und eine neue Variante in Umlauf gebracht, die es auf Apple-Computer abgesehen hat.

https://www.zdnet.de/88408574/lockbit-ransomware-bereitet-angriffe-auf-apple-vor/


CISA and Partners Release Cybersecurity Best Practices for Smart Cities

Today, CISA, NSA, FBI, NCSC-UK, ACSC, CCCS and NCSC-NZ released a joint guide: Cybersecurity Best Practices for Smart Cities. Smart cities may create safer, more efficient, resilient communities through technological innovation and data-driven decision making. However, this opportunity also introduces potential vulnerabilities and weaknesses that-if exploited-could impact national security, economic security, public health and safety, and critical infrastructure operations.

https://www.cisa.gov/news-events/alerts/2023/04/19/cisa-and-partners-release-cybersecurity-best-practices-smart-cities

Vulnerabilities

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

Security risk: Moderately critical The file download facility doesnt sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.Some sites may require configuration changes following this security release.

https://www.drupal.org/sa-core-2023-005


Cisco Security Advisories Published on April 19, 2023 - 2 Critical, 2 High, 2 Medium

* StarOS Software Key-Based SSH Authentication Privilege Escalation Vulnerability * SD-WAN vManage Software Arbitrary File Deletion Vulnerability * TelePresence Collaboration Endpoint and RoomOS Arbitrary File Write Vulnerabilities * Industrial Network Director Vulnerabilities * Modeling Labs External Authentication Bypass Vulnerability * BroadWorks Network Server TCP Denial of Service Vulnerability

https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2023%2F04%2F19&firstPublishedEndDate=2023%2F04%2F19


Mehrere Schadcode-Lücken in Foxit PDF geschlossen

Wer Foxit PDF Reader oder PDF Editor unter Windows nutzt, ist angreifbar.

https://heise.de/-8974063


Stable Channel Update for Desktop

The Stable and extended stable channel has been updated to 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac and 112.0.5615.165 for Linux which will roll out over the coming days/weeks. [..] Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix.

http://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html


Blubrry Addresses Authenticated Stored XSS Vulnerability in PowerPress WordPress Plugin

On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry-s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites.

https://www.wordfence.com/blog/2023/04/blubrry-addresses-authenticated-stored-xss-vulnerability-in-powerpress-wordpress-plugin/


Security updates for Thursday

Security updates have been issued by Debian (golang-1.11), Fedora (chromium, golang-github-cenkalti-backoff, golang-github-cli-crypto, golang-github-cli-gh, golang-github-cli-oauth, golang-github-gabriel-vasile-mimetype, libpcap, lldpd, parcellite, tcpdump, thunderbird, and zchunk), Red Hat (java-11-openjdk, java-17-openjdk, and kernel), SUSE (chromium, dnsmasq, ImageMagick, nodejs16, openssl-1_0_0, openssl1, ovmf, and python-Flask), and Ubuntu (dnsmasq, libxml2, linux, linux-aws, linux-aws-5.4, linux-azure, linu linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15 linux-oracle, linux-raspi2, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and linux-snapdragon).

https://lwn.net/Articles/929671/


Chromium: CVE-2023-2136 Integer overflow in Skia

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2023-2136 exists in the wild.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2136


Spring Boot 2.7.11 available now fixing CVE-2023-20873

https://spring.io/blog/2023/04/20/spring-boot-2-7-11-available-now-fixing-cve-2023-20873


Spring Boot 3.0.6 available now fixing CVE-2023-20873

https://spring.io/blog/2023/04/20/spring-boot-3-0-6-available-now-fixing-cve-2023-20873


Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products.

https://www.ibm.com/support/pages/node/6953617


Unprivileged GPU access vulnerability - CVE-2013-5987

https://www.ibm.com/support/pages/node/864038


Multiple vulnerabilities found in third party libraries used by IBM\u00ae MobileFirst Platform

https://www.ibm.com/support/pages/node/6984763


Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server used by IBM Maximo Application Suite

https://www.ibm.com/support/pages/node/6984785


IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js npm module information disclosure (CVE-2022-29244)

https://www.ibm.com/support/pages/node/6984799


IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998)

https://www.ibm.com/support/pages/node/6984945


Unprivileged GPU access vulnerability - CVE-2013-5987

https://www.ibm.com/support/pages/node/864038


IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403)

https://www.ibm.com/support/pages/node/6984957


IBM Security Verify Governance is vulnerable to denial of service and security bypass (CVE-2018-10237, CVE-2020-8908)

https://www.ibm.com/support/pages/node/6984959


IBM Security Verify Governance is vulnerable to a denial of service (CVE-2022-42004, CVE-2022-42003)

https://www.ibm.com/support/pages/node/6984967


IBM Security Verify Governance is vulnerable to sensitive information exposure and denial of service (CVE-2021-31403, CVE-2021-33609)

https://www.ibm.com/support/pages/node/6984971


IBM Security Verify Governance is vulnerable to denial of service (CVE-2022-24839)

https://www.ibm.com/support/pages/node/6984973


IBM Security Verify Governance is vulnerable to arbitrary code execution (CVE-2020-10650)

https://www.ibm.com/support/pages/node/6984963


IBM Security Verify Governance is vulnerable to denial of service ( CVE-2023-24998)

https://www.ibm.com/support/pages/node/6984969


Security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2023-24998)

https://www.ibm.com/support/pages/node/6984965


IBM Rational Build Forge is vulnerable and could allow an unauthenticated attacker to obtain sensitive information due to the use of JSSE component (CVE-2021-35603)

https://www.ibm.com/support/pages/node/6984975


IBM App Connect Enterprise is vulnerable to a denial of service due to the ua-parser-js module (CVE-2022-25927)

https://www.ibm.com/support/pages/node/6984987


Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition

https://www.ibm.com/support/pages/node/6839127


Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition

https://www.ibm.com/support/pages/node/6967213


CVE-2022-3676 may affect IBM\u00ae SDK, Java\u2122 Technology Edition

https://www.ibm.com/support/pages/node/6839777


IBM Rational Build Forge is vulnerable and could allow attacker to obtain sensitive information due to the use of JSSE component(CVE-2021-35550)

https://www.ibm.com/support/pages/node/6985007


CVE-2023-30441 affects IBM\u00ae SDK, Java\u2122 Technology Edition

https://www.ibm.com/support/pages/node/6985011


AIX is vulnerable to arbitrary command execution (CVE-2023-26286)

https://www.ibm.com/support/pages/node/6983236


INEA ME RTU

https://www.cisa.gov/news-events/ics-advisories/icsa-23-110-01