Tageszusammenfassung - 25.04.2023

End-of-Day report

Timeframe: Montag 24-04-2023 18:00 - Dienstag 25-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer

News

Intel CPUs vulnerable to new transient execution side-channel attack

A new side-channel attack impacting multiple generations of Intel CPUs has been discovered, allowing data to be leaked through the EFLAGS register.

https://www.bleepingcomputer.com/news/security/intel-cpus-vulnerable-to-new-transient-execution-side-channel-attack/

New .NET Malware -WhiteSnake- Targets Python Developers, Uses Tor for C&C Communication

The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for cross-language malware attacks. Our team identified 22 malicious packages, containing the same payload, targeting both Windows and Linux systems[...]

https://jfrog.com/blog/new-malware-targets-python-developers-uses-tor-for-c2-communication/

Release of a Technical Report into Intel Trust Domain Extensions

Today, members of Google Project Zero and Google Cloud are releasing a report on a security review of Intels Trust Domain Extensions (TDX). [...] The result of the review was the discovery of 10 confirmed security vulnerabilities which were fixed before the final release of products with the TDX feature. The final report highlights the most interesting of these issues and provides an overview of the features architecture. 5 additional areas were identified for defense-in-depth changes [...]

https://googleprojectzero.blogspot.com/2023/04/technical-report-into-intel-tdx.html

New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP)

Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability - tracked as CVE-2023-29552 - in the Service Location Protocol (SLP), a legacy Internet protocol. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported.

https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protocol-slp

PoC for Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) Published

The cybersecurity community is buzzing with the recent publication of a Proof-of-Concept (PoC) for CVE-2023-1671, a critical code execution vulnerability in Sophos Web Appliance with a CVSS score of 9.8. This high-risk vulnerability, caused by a pre-auth command injection flaw in the warn-proceed handler, poses significant risks to users.

https://securityonline.info/poc-for-pre-auth-rce-in-sophos-web-appliance-cve-2023-1671-published/

Attackers are logging in instead of breaking in

Cyberattackers leveraged more than 500 unique tools and tactics in 2022, according to Sophos. The data, analyzed from more than 150 Sophos Incident Response (IR) cases, identified more than 500 unique tools and techniques, including 118 -Living off the Land- binaries (LOLBins). Unlike malware, LOLBins are executables naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity.

https://www.helpnetsecurity.com/2023/04/25/attacks-dwell-time/

Gefälschte Facebook-Seite vom Tiergarten Schönbrunn verbreitet Fake-Gewinnspiel

Die gefälschte Facebook-Seite -ZooPark Wien- verbreitet ein betrügerisches Gewinnspiel. Im Posting werden 4 Eintrittskarten verlost. Teilnehmer:innen müssen den Beitrag nur mit -Alles Gute zum Geburtstag- kommentieren. Mit diesem Gewinnspiel versuchen Kriminelle aber an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken.

https://www.watchlist-internet.at/news/gefaelschte-facebook-seite-vom-tiergarten-schoenbrunn-verbreitet-fake-gewinnspiel/

Vulnerabilities

CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution

Apache Superset is an open source data visualization and exploration tool. [...] there are more than 3000 instances of it exposed to the Internet. [...] at least 2000 (two-thirds of all servers) - are running with a dangerous default configuration. As a result, many of these servers are effectively open to the public. Any attacker can -log in- to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code.

https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/

Xen Security Advisory CVE-2022-42335 / XSA-430 - x86 shadow paging arbitrary pointer dereference

Guests running in shadow mode and having a PCI device passed through may be able to cause Denial of Service and other problems, escalation of privilege cannot be ruled out.

https://xenbits.xen.org/xsa/advisory-430.html

Zyxel schließt teils kritische Sicherheitslücken in Firewalls und Access Points

Zyxel hat Warnungen vor Sicherheitslücken in Firewalls und Access Points herausgegeben. Firmware-Updates zum Abdichten der Lecks stehen bereit.

https://heise.de/-8977831

Security updates for Tuesday

Security updates have been issued by CentOS (firefox, java-11-openjdk, and thunderbird), Debian (apache2), Fedora (kernel), Oracle (emacs), Red Hat (emacs, haproxy, java-1.8.0-openjdk, kernel, kernel-rt, kpatch-patch, pcs, pki-core:10.6, and qatzip), and SUSE (avahi, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, giflib, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, ovmf, and protobuf-c).

https://lwn.net/Articles/930128/

WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting

https://jvn.jp/en/jp/JVN00971105/

ZDI-23-458: SolarWinds Network Performance Monitor TFTP Link Following Local Privilege Escalation Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-458/

ZDI-23-457: SolarWinds Network Performance Monitor ExecuteExternalProgram Command Injection Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-457/

Belden: 2022-26 Multiple libexpat vulnerabilities in HiOS, Classic, HiSecOS, Wireless BAT-C2, Lite Managed, Edge

https://assets.belden.com/m/6f2d4e1f6bbaeb54/original/BSECV-2022-26.pdf

Belden: 2022-29 strongSwan: integer overflow when replacing certificates in cache

https://assets.belden.com/m/25e4130e915c61a1/original/Belden_Security_Bulletin_BSECV-2022-29_A01.pdf

[R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202304.1

https://www.tenable.com/security/tns-2023-18

Nextcloud: Missing brute force protection for passwords of password protected share links

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w

Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester

https://www.ibm.com/support/pages/node/6985649

IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283)

https://www.ibm.com/support/pages/node/6985651

Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. (CVE-2023-27559))

https://www.ibm.com/support/pages/node/6985667

IBM® Db2® is vulnerable to a denial of service as the server may crash when an Out of Memory occurs. (CVE-2023-26022)

https://www.ibm.com/support/pages/node/6985669

IBM® Db2® is vulnerable to a denial of service. Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally. (CVE-2023-25930)

https://www.ibm.com/support/pages/node/6985677

IBM® Db2® is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021)

https://www.ibm.com/support/pages/node/6985681

IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555)

https://www.ibm.com/support/pages/node/6985683

IBM® Db2® is vulnerable to a denial of service as as it may trap when compiling a variation of an anonymous block. (CVE-2023-29255)

https://www.ibm.com/support/pages/node/6985687

IBM® Db2® is vulnerable to remote code execution as a database administrator of one database may execute code or read\/write files from another database within the same instance. (CVE-2023-29257)

https://www.ibm.com/support/pages/node/6985691

IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2023-27860)

https://www.ibm.com/support/pages/node/6985679

Multiple vulnerabilities affect IBM Db2\u00ae Graph

https://www.ibm.com/support/pages/node/6985689

IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to IBM HTTP Server (CVE-2023-26281)

https://www.ibm.com/support/pages/node/6985851

Docker based datastores for IBM Instana do not currently require authentication

https://www.ibm.com/support/pages/node/6959969

IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7

https://www.ibm.com/support/pages/node/6984347

IBM Safer Payments is vulnerable to OpenSSL Denial of Sevice Attack (CVE-2022-0778)

https://www.ibm.com/support/pages/node/6985865

TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient

https://www.ibm.com/support/pages/node/6985905