End-of-Day report
Timeframe: Mittwoch 24-05-2023 18:00 - Donnerstag 25-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Hackers target 1.5M WordPress sites with cookie consent plugin exploit
Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs.
https://www.bleepingcomputer.com/news/security/hackers-target-15m-wordpress-sites-with-cookie-consent-plugin-exploit/
A new OAuth vulnerability that may impact hundreds of online services
This post details issues identified in Expo, a popular framework used by many online services to implement OAuth (as well as other functionality). The vulnerability in the expo-auth-session library warranted a CVE assignment - CVE-2023-28131. Expo created a hotfix within the day that automatically provided mitigation, but Expo recommends that customers update their deployment to deprecate this service to fully remove the risk (see the Expo security advisory on the topic).
https://salt.security/blog/a-new-oauth-vulnerability-that-may-impact-hundreds-of-online-services
codeexplain.vim: A nvim plugin Powered by GPT4ALL for Real-time Code Explanation and Vulnerability Detection (no internet necessary)
codeexplain.nvim is a NeoVim plugin that uses the powerful GPT4ALL language model to provide on-the-fly, line-by-line explanations and potential security vulnerabilities for selected code directly in your NeoVim editor. Its like having your personal code assistant right inside your editor without leaking your codebase to any company.
https://github.com/mthbernardes/codeexplain.nvim
Google Authenticator: Geräteverschlüsselung versprochen, aber nicht geliefert
Google hat dem Authenticator eine Backup-Funktion spendiert, die Geheimnisse jedoch nicht verschlüsselt. Ein Update soll das ändern. Das tut es aber nicht.
https://heise.de/-9065547
Buhti: New Ransomware Operation Relies on Repurposed Payloads
Attackers use rebranded variants of leaked LockBit and Babuk ransomware payloads but use own custom exfiltration tool.
https://symantec-enterprise-blogs.security.com/threat-intelligence/buhti-ransomware
Mercenary mayhem: A technical analysis of Intellexas PREDATOR spyware
Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
https://blog.talosintelligence.com/mercenary-intellexa-predator/
Abusing Web Services Using Automated CAPTCHA-Breaking Services and Residential Proxies
This blog entry features three case studies that show how malicious actors evade the antispam, antibot, and antiabuse measures of online web services via residential proxies and CAPTCHA-breaking services.
https://www.trendmicro.com/en_us/research/23/e/abusing-web-services-using-automated-captcha-breaking-services-and-residential-proxies.html
Vulnerabilities
Teils kritische Sicherheitslücken in Mitel MiVoice Connect
In Mitels MiVoice Connect und Connect Mobility Router klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit.
https://heise.de/-9064992
Kritisches Sicherheitsupdate (24. Mai 2023) für alle Zyxel-Firewall-Produkte - Angriffe laufen bereits
Der taiwanesische Hersteller Zyxel hat ein sehr kritisches Security Update für sämtliche Security Produkte veröffentlicht. Die Sicherheitswarnung gibt an, dass gleich mehrere Buffer Overflow-Schwachstellen (CVE-2023-33009, CVE-2023-33010) betroffen seien.
https://www.borncity.com/blog/2023/05/25/kritisches-sicherheitsupdate-24-mai-2023-fr-alle-zyxel-firewall-produkte-angriffe-laufen-bereits/
Kritische Sicherheitslücke mit Höchstwertung bedroht GitLab
Es gibt eine wichtiges Sicherheitsupdate für die Versionsverwaltung GitLab. Entwickler sollten jetzt reagieren.
https://heise.de/-9065150
Security updates for Thursday
Security updates have been issued by Debian (python2.7), Fedora (maradns), Red Hat (devtoolset-12-binutils, go-toolset and golang, httpd24-httpd, jenkins and jenkins-2-plugins, rh-ruby27-ruby, and sudo), Scientific Linux (git), Slackware (texlive), SUSE (cups-filters, poppler, texlive, distribution, golang-github-vpenso-prometheus_slurm_exporter, kubernetes1.18, kubernetes1.23, openvswitch, rmt-server, and ucode-intel), and Ubuntu (ca-certificates, calamares-settings-ubuntu, Jhead, libhtml-stripscripts-perl, and postgresql-10, postgresql-12, postgresql-14, postgresql-15).
https://lwn.net/Articles/932994/
Wacom Tablet Driver installer for macOS vulnerable to improper link resolution before file access
https://jvn.jp/en/jp/JVN90278893/
D-Link D-View 8 : v2.0.1.27 and below : TrendMicro (ZDI) Reported Multiple Vulnerabilities
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10332
Autodesk: Multiple Vulnerabilities in PSKernel component used by specific Autodesk products
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0009
Autodesk: Privilege Escalation Vulnerability in the Autodesk Installer Software
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0010
F5: K000134768 : Linux kernel vulnerability CVE-2022-4378
https://my.f5.com/manage/s/article/K000134768
F5: K000134770 : Linux kernel vulnerability CVE-2022-42703
https://my.f5.com/manage/s/article/K000134770
Moxa MXsecurity Series
https://www.cisa.gov/news-events/ics-advisories/icsa-23-145-01
Nextcloud: Blind SSRF in the Mail app on avatar endpoint
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8gph-9895-w564
Nextcloud: Contacts - PHOTO svg only sanitized if mime type is all lower case
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx
Nextcloud: Error in calendar when booking an appointment reveals the full path of the website
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2792-2734-hr7j
Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak.
https://www.ibm.com/support/pages/node/6987493
IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342)
https://www.ibm.com/support/pages/node/6998037
IBM Planning Analytics Workspace has addressed a vulnerability in SnakeYaml (CVE-2022-1471)
https://www.ibm.com/support/pages/node/6998025
Vulnerability from log4j-1.2.16.jar affect IBM Operations Analytics - Log Analysis (CVE-2023-26464)
https://www.ibm.com/support/pages/node/6998333
IBM App Connect Enterprise Certified Container IntegrationServer operands that run Designer flows is vulnerable to arbitrary code execution due to [CVE-2022-37614]
https://www.ibm.com/support/pages/node/6998341
IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2023-2251]
https://www.ibm.com/support/pages/node/6998357
A vulnerability in Etcd-io could affect IBM CICS TX Standard [CVE-2021-28235]
https://www.ibm.com/support/pages/node/6998361
A vulnerability in Etcd-io could affect IBM CICS TX Advanced [CVE-2021-28235]
https://www.ibm.com/support/pages/node/6998367
IBM App Connect Enterprise Certified Container DesignerAuthoring operands is vulnerable to arbitrary code execution due to [CVE-2023-30547]
https://www.ibm.com/support/pages/node/6998381
Due to the use of Apache spring-web, IBM ECM Content Management Interoperability Services (CMIS) is affected by remote code execution (RCE) security vulnerability CVE-2016-1000027
https://www.ibm.com/support/pages/node/6998405
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Go
https://www.ibm.com/support/pages/node/6998391