End-of-Day report
Timeframe: Mittwoch 03-05-2023 18:00 - Donnerstag 04-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
Windows admins can now sign up for -known issue- email alerts
Microsoft announced today that Windows admins can now choose to be emailed when new known issues are added to the Windows release health section of the Microsoft 365 admin center.
https://www.bleepingcomputer.com/news/microsoft/windows-admins-can-now-sign-up-for-known-issue-email-alerts/
Infostealer Embedded in a Word Document, (Thu, May 4th)
hen attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents. Disabled by default, the attacker must make the user confident to enable them by clicking on the -yellow ribbon- on top of the document. Yesterday I found a malicious document that implements another approach.
https://isc.sans.edu/diary/rss/29810
How to Analyze Java Malware - A Case Study of STRRAT
STRRAT is a Java-based malware that executes multiple commands transmitted by the C2 server. The JAR file was obfuscated using the Allatori obfuscator. It establishes persistence on the host by copying to the Startup folder and creating a scheduled task and a Run registry entry. The functionalities of the implemented commands include: reboot the machine, uninstall the malware and delete all its traces, download and execute files [..]
https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-strrat#page=1
Vulnerabilities
S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014
S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them.
https://www.drupal.org/sa-contrib-2023-014
Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW
Patchday Fortinet: Angreifer könnten eigene Befehle ausführen
Es gibt wichtige Sicherheitsupdates für verschiedene Produkte von Fortinet. Keine Lücke gilt als kritisch.
https://heise.de/-8986618
Security updates for Thursday
Security updates have been issued by Fedora (python-sentry-sdk) and Ubuntu (python-django and ruby2.3, ruby2.5, ruby2.7).
https://lwn.net/Articles/930903/
Malicious IKEv1 packet by unauthenticated peer can cause libreswan to restart
The Libreswan Project was notified by github user "XU-huai" of an issue with receiving a malformed IKEv1 Aggressive Mode packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack.
https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt
Apple: Beats Firmware Update 5B66
http://support.apple.com/kb/HT213752
Apple: AirPods Firmware Update 5E133
http://support.apple.com/kb/HT213752
IBM ECM Content Management Interoperability Services (CMIS) spring-expression security vulnerability CVE-2023-20861
https://www.ibm.com/support/pages/node/6988109
IBM ECM Content Management Interoperability Services (CMIS) cfx-core security vulnerabilities CVE-2022-46363, CVE-2022-46364
https://www.ibm.com/support/pages/node/6988115
IBM ECM Content Management Interoperability Services (CMIS) woodstox\/XStream security vulnerability CVE-2022-40152
https://www.ibm.com/support/pages/node/6988117
IBM InfoSphere Information Server is affected but not classified as vulnerable to a denial of service vulnerability in NumPy (CVE-2021-34141)
https://www.ibm.com/support/pages/node/6988125
A vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-25690)
https://www.ibm.com/support/pages/node/6988293
A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-26283)
https://www.ibm.com/support/pages/node/6988295
IBM Virtualization Engine TS7700 is vulnerable to a privilege escalation threat (CVE-2023-24958)
https://www.ibm.com/support/pages/node/6980845
IBM ECM Content Management Interoperability Services (CMIS) spring-expression\/spring-core security vulnerability [CVE-2023-20863]
https://www.ibm.com/support/pages/node/6988341
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities
https://www.ibm.com/support/pages/node/6988351