Tageszusammenfassung - 10.05.2023

End-of-Day report

Timeframe: Dienstag 09-05-2023 18:00 - Mittwoch 10-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter

News

Patchday: Adobe schließt Schadcode-Lücke in Substance 3D Painter

Es gibt wichtige Sicherheitsupdates für Adobe Substance 3D Painter. Wer damit 3D-Modelle bearbeitet, sollte die Anwendung aktualisieren.

https://heise.de/-8991973

Microsoft Patchday: Angreifer verschaffen sich System-Rechte unter Windows

Microsoft schließt unter anderem in Windows mehrere kritische Schadcode-Lücken. Attacken laufen bereits, weitere könnten bevorstehen.

https://heise.de/-8991967

Kritische Schwachstellen ermöglichen Übernahme von Aruba Access Points

Die HPE-Tochter Aruba schließt mehrere, zum Teil kritische Sicherheitslücken in den Access Points. Angreifer aus dem Netz könnten Schadcode einschleusen.

https://heise.de/-8992292

Patchday: 18 Sicherheitsnotizen zu teils kritischen Lücken in SAP-Software

Am Mai-Patchday dichtet SAP zum Teil kritische Sicherheitslücken in der Software des Unternehmens ab. IT-Verantwortliche sollten die Updates zügig anwenden.

https://heise.de/-8992005

Root-Rechte für lokale Angreifer dank Lücken im Linux-Kernel

In zwei Komponenten des Linuxkernels verstecken sich Sicherheitslücken, die lokalen Angreifern eine Rootshell spendieren. Ein erster Exploit ist öffentlich.

https://heise.de/-8992648

Easily bypassed patch makes zero-click Outlook flaw exploitable again (CVE-2023-29324)

Among the vulnerabilities fixed by Microsoft on May 2023 Patch Tuesday is CVE-2023-29324, a bug in the Windows MSHTML platform that Microsoft rates as -important.- Akamai-s research team and Ben Barnea, the researcher who-s credited with finding the flaw, disagree with that assessment, because -the new vulnerability [CVE-2023-29324] re-enables the exploitation of a critical vulnerability [CVE-2023-23397] that was seen in the wild and used by APT operators.-

https://www.helpnetsecurity.com/2023/05/10/cve-2023-29324/

Vorsicht vor betrügerischem Tier-, Welpen- und Katzenhandel im Internet

Vermehrt werden der Watchlist Internet aktuell betrügerische Tierangebote aus dem Internet und auf Social Media wie Facebook gemeldet. Süße Bilder junger Kätzchen und Hunde auf Websites, die Vertrauen schaffen sollen, verleiten zu einer unüberlegten Bestellung und Vorabzahlung. Eine Lieferung erfolgt nie - egal wie vielen Zahlungsaufforderungen der kriminellen Züchter:innen nachgekommen wird!

https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischem-tier-welpen-und-katzenhandel-im-internet/

Free Tool Unlocks Some Encrypted Data in Ransomware Attacks

"White Phoenix" automated tool for recovering data on partially encrypted files hit with ransomware is available on GitHub.

https://www.darkreading.com/attacks-breaches/free-tool-unlocks-some-encrypted-data-in-ransomware-attacks

PwnAssistant - Controlling /homes via a Home Assistant RCE

[..] we decided to look into the very established and known open-source automation ecosystem known as Home Assistant. [..] So without further ado, come with us on this journey to understanding the Home Assistant architecture, enumerating the attack surface and trawling for pre-authentication vulnerabilities within the code base.

https://www.elttam.com/blog/pwnassistant/

Xjquery Wave of WordPress SocGholish Injections

By the end of March, 2023, we started noticing a new wave of SocGholish injections that used the intermediary xjquery[.]com domain. It appeared to be another evolution of the same malware. This time, however, attackers were using the same tricks in a different way.

https://blog.sucuri.net/2023/05/xjquery-wave-of-wordpress-socgholish-injections.html

ESET APT Activity Report Q4 2022-Q1 2023

An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2022 and Q1 2023

https://www.welivesecurity.com/2023/05/09/eset-apt-activity-report-q42022-q12023/

Vulnerabilities

Security updates for Wednesday

Security updates have been issued by Debian (emacs), Fedora (chromium, community-mysql, and LibRaw), Red Hat (nodejs nodejs-nodemon, nodejs:18, and webkit2gtk3), Slackware (mozilla), SUSE (amazon-ssm-agent, conmon, distribution, docker-distribution, google-cloud-sap-agent, ignition, kernel, ntp, prometheus-ha_cluster_exporter, protobuf-c, python-cryptography, runc, and shim), and Ubuntu (ceph, freetype, and node-css-what).

https://lwn.net/Articles/931488/

ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities

Siemens and Schneider Electric-s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products.

https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-address-few-dozen-vulnerabilities/

Chipmaker Patch Tuesday: Intel, AMD Address Over 100 Vulnerabilities

Intel and AMD have informed their customers about a total of more than 100 vulnerabilities found in their products.

https://www.securityweek.com/chipmaker-patch-tuesday-intel-amd-address-over-100-vulnerabilities/

Hitachi Energy MSM

CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Modular Switchgear Monitoring (MSM) Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authentication Bypass by Capture-replay, Code Injection, Improper Restriction of Operations within the Bounds of a Memory Buffer, NULL Pointer Dereference, Insufficient Entropy

https://www.cisa.gov/news-events/ics-advisories/icsa-23-129-02

Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the -C/OS open-source operating system

TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets.

https://blog.talosintelligence.com/vulnerability-spotlight-authentication-bypass-use-after-free-vulnerabilities-found-in-uc/