End-of-Day report
Timeframe: Montag 24-04-2023 18:00 - Dienstag 25-04-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
News
Intel CPUs vulnerable to new transient execution side-channel attack
A new side-channel attack impacting multiple generations of Intel CPUs has been discovered, allowing data to be leaked through the EFLAGS register.
https://www.bleepingcomputer.com/news/security/intel-cpus-vulnerable-to-new-transient-execution-side-channel-attack/
New .NET Malware -WhiteSnake- Targets Python Developers, Uses Tor for C&C Communication
The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for cross-language malware attacks. Our team identified 22 malicious packages, containing the same payload, targeting both Windows and Linux systems[...]
https://jfrog.com/blog/new-malware-targets-python-developers-uses-tor-for-c2-communication/
Release of a Technical Report into Intel Trust Domain Extensions
Today, members of Google Project Zero and Google Cloud are releasing a report on a security review of Intels Trust Domain Extensions (TDX). [...] The result of the review was the discovery of 10 confirmed security vulnerabilities which were fixed before the final release of products with the TDX feature. The final report highlights the most interesting of these issues and provides an overview of the features architecture. 5 additional areas were identified for defense-in-depth changes [...]
https://googleprojectzero.blogspot.com/2023/04/technical-report-into-intel-tdx.html
New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP)
Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability - tracked as CVE-2023-29552 - in the Service Location Protocol (SLP), a legacy Internet protocol. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported.
https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protocol-slp
PoC for Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) Published
The cybersecurity community is buzzing with the recent publication of a Proof-of-Concept (PoC) for CVE-2023-1671, a critical code execution vulnerability in Sophos Web Appliance with a CVSS score of 9.8. This high-risk vulnerability, caused by a pre-auth command injection flaw in the warn-proceed handler, poses significant risks to users.
https://securityonline.info/poc-for-pre-auth-rce-in-sophos-web-appliance-cve-2023-1671-published/
Attackers are logging in instead of breaking in
Cyberattackers leveraged more than 500 unique tools and tactics in 2022, according to Sophos. The data, analyzed from more than 150 Sophos Incident Response (IR) cases, identified more than 500 unique tools and techniques, including 118 -Living off the Land- binaries (LOLBins). Unlike malware, LOLBins are executables naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity.
https://www.helpnetsecurity.com/2023/04/25/attacks-dwell-time/
Gefälschte Facebook-Seite vom Tiergarten Schönbrunn verbreitet Fake-Gewinnspiel
Die gefälschte Facebook-Seite -ZooPark Wien- verbreitet ein betrügerisches Gewinnspiel. Im Posting werden 4 Eintrittskarten verlost. Teilnehmer:innen müssen den Beitrag nur mit -Alles Gute zum Geburtstag- kommentieren. Mit diesem Gewinnspiel versuchen Kriminelle aber an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken.
https://www.watchlist-internet.at/news/gefaelschte-facebook-seite-vom-tiergarten-schoenbrunn-verbreitet-fake-gewinnspiel/
Vulnerabilities
CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution
Apache Superset is an open source data visualization and exploration tool. [...] there are more than 3000 instances of it exposed to the Internet. [...] at least 2000 (two-thirds of all servers) - are running with a dangerous default configuration. As a result, many of these servers are effectively open to the public. Any attacker can -log in- to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code.
https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/
Xen Security Advisory CVE-2022-42335 / XSA-430 - x86 shadow paging arbitrary pointer dereference
Guests running in shadow mode and having a PCI device passed through may be able to cause Denial of Service and other problems, escalation of privilege cannot be ruled out.
https://xenbits.xen.org/xsa/advisory-430.html
Zyxel schließt teils kritische Sicherheitslücken in Firewalls und Access Points
Zyxel hat Warnungen vor Sicherheitslücken in Firewalls und Access Points herausgegeben. Firmware-Updates zum Abdichten der Lecks stehen bereit.
https://heise.de/-8977831
Security updates for Tuesday
Security updates have been issued by CentOS (firefox, java-11-openjdk, and thunderbird), Debian (apache2), Fedora (kernel), Oracle (emacs), Red Hat (emacs, haproxy, java-1.8.0-openjdk, kernel, kernel-rt, kpatch-patch, pcs, pki-core:10.6, and qatzip), and SUSE (avahi, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, giflib, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, ovmf, and protobuf-c).
https://lwn.net/Articles/930128/
WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting
https://jvn.jp/en/jp/JVN00971105/
ZDI-23-458: SolarWinds Network Performance Monitor TFTP Link Following Local Privilege Escalation Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-458/
ZDI-23-457: SolarWinds Network Performance Monitor ExecuteExternalProgram Command Injection Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-457/
F5: K000133630 : Intel processor vulnerability CVE-2022-26343
https://my.f5.com/manage/s/article/K000133630
F5: K000133633 : Intel BIOS firmware vulnerability CVE-2022-32231
https://my.f5.com/manage/s/article/K000133633
Multiple Vulnerabilities Patched in Shield Security
https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-shield-security/
Belden: 2022-26 Multiple libexpat vulnerabilities in HiOS, Classic, HiSecOS, Wireless BAT-C2, Lite Managed, Edge
https://assets.belden.com/m/6f2d4e1f6bbaeb54/original/BSECV-2022-26.pdf
Belden: 2022-29 strongSwan: integer overflow when replacing certificates in cache
https://assets.belden.com/m/25e4130e915c61a1/original/Belden_Security_Bulletin_BSECV-2022-29_A01.pdf
[R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202304.1
https://www.tenable.com/security/tns-2023-18
Nextcloud: Missing brute force protection for passwords of password protected share links
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w
Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester
https://www.ibm.com/support/pages/node/6985649
IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283)
https://www.ibm.com/support/pages/node/6985651
Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. (CVE-2023-27559))
https://www.ibm.com/support/pages/node/6985667
IBM® Db2® is vulnerable to a denial of service as the server may crash when an Out of Memory occurs. (CVE-2023-26022)
https://www.ibm.com/support/pages/node/6985669
IBM® Db2® is vulnerable to a denial of service. Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally. (CVE-2023-25930)
https://www.ibm.com/support/pages/node/6985677
IBM® Db2® is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021)
https://www.ibm.com/support/pages/node/6985681
IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555)
https://www.ibm.com/support/pages/node/6985683
IBM® Db2® is vulnerable to a denial of service as as it may trap when compiling a variation of an anonymous block. (CVE-2023-29255)
https://www.ibm.com/support/pages/node/6985687
IBM® Db2® is vulnerable to remote code execution as a database administrator of one database may execute code or read\/write files from another database within the same instance. (CVE-2023-29257)
https://www.ibm.com/support/pages/node/6985691
IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2023-27860)
https://www.ibm.com/support/pages/node/6985679
Multiple vulnerabilities affect IBM Db2\u00ae Graph
https://www.ibm.com/support/pages/node/6985689
IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to IBM HTTP Server (CVE-2023-26281)
https://www.ibm.com/support/pages/node/6985851
Docker based datastores for IBM Instana do not currently require authentication
https://www.ibm.com/support/pages/node/6959969
IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7
https://www.ibm.com/support/pages/node/6984347
IBM Safer Payments is vulnerable to OpenSSL Denial of Sevice Attack (CVE-2022-0778)
https://www.ibm.com/support/pages/node/6985865
TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient
https://www.ibm.com/support/pages/node/6985905