End-of-Day report
Timeframe: Freitag 09-06-2023 18:00 - Montag 12-06-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Fortinet: SSL-VPN-Lücke ermöglicht Codeschmuggel
Fortinet hat Updates für das FortiOS-Betriebssystem veröffentlicht. Sie schließen eine Sicherheitslücke im SSL-VPN, die das Einschleusen von Schadcode erlaubt.
https://heise.de/-9184284
Passwort-Manager Bitwarden: Biometrischer Schlüssel war für alle lesbar
Der Passwort-Manager Bitwarden unterstützt die Authentifizierung mit Windows Hello. Bis vor kurzem war der biometrische Schlüssel in Windows für alle auslesbar.
https://heise.de/-9184586
New MOVEit Vulnerabilities Found as More Zero-Day Attack Victims Come Forward
Researchers discover new MOVEit vulnerabilities related to the zero-day, just as more organizations hit by the attack are coming forward.
https://www.securityweek.com/new-moveit-vulnerabilities-found-as-more-zero-day-attack-victims-come-forward/
Exploit released for MOVEit RCE bug used in data theft attacks
Horizon3 security researchers have released proof-of-concept (PoC) exploit code for a remote code execution (RCE) bug in the MOVEit Transfer managed file transfer (MFT) solution abused by the Clop ransomware gang in data theft attacks.
https://www.bleepingcomputer.com/news/security/exploit-released-for-moveit-rce-bug-used-in-data-theft-attacks/
Strava heatmap feature can be abused to find home addresses
Researchers at the North Carolina State University Raleigh have discovered a privacy risk in the Strava apps heatmap feature that could lead to identifying users home addresses.
https://www.bleepingcomputer.com/news/security/strava-heatmap-feature-can-be-abused-to-find-home-addresses/
Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency
Kaspersky researchers share insight into multistage DoubleFinger loader attack delivering GreetingGhoul cryptocurrency stealer and Remcos RAT.
https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptocurrency-stealer/109982/
Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer
Security researchers have warned about an "easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions."A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said.
https://thehackernews.com/2023/06/researchers-uncover-publisher-spoofing.html
Bypassing Android Biometric Authentication
Cryptography and authentication issues are not only present in apps with a low number of downloads, but also in very popular apps. Furthermore, this affects also apps that aim to provide a high level of data protection, since they handle sensitive data that should be kept safe. [..] However, it is important to stress that to be able to perform a bypass, an attacker needs root permissions on the device of the victim or is able to talk the victim into installing a modified version of an app [..]
https://sec-consult.com/blog/detail/bypassing-android-biometric-authentication/
Circumventing inotify Watchdogs
Recently I-ve been building rudimentary file monitoring tools to get better at Golang, and build faux-watchdog programs for research at Arch Cloud Labs. Through this experimentation, I-ve identified some interesting gaps in the inotify subsystem that are new to me, but are well documented in the Linux man pages. This blog post will explore how to circumvent read detections implemented by inotify.
https://www.archcloudlabs.com/projects/inotify/
Every Signature is Broken: On the Insecurity of Microsoft Office-s OOXML Signatures
We are the first to provide an in-depth analysis of Office Open XML (OOXML) Signatures, the Ecma/ISO standard that all Microsoft Office applications use. Our analysis reveals major discrepancies between the structure of office documents and the way digital signatures are verified. These discrepancies lead to serious security flaws in the specification and in the implementation. As a result, we discovered five new attack classes.
https://www.usenix.org/system/files/sec23summer_235-rohlmann-prepub.pdf
Defeating Windows DEP With A Custom ROP Chain
This article explains how to write a custom ROP (Return Oriented Programming) chain to bypass Data Execution Prevention (DEP) on a Windows 10 system. DEP makes certain parts of memory (e.g., the stack) used by an application non-executable. This means that overwriting EIP with a -JMP ESP- (or similar) instruction and then freely executing [...]
https://research.nccgroup.com/2023/06/12/defeating-windows-dep-with-a-custom-rop-chain/
Instagram: Vorsicht vor gefälschter -Meta--Nachricht
Ein Fake-Profil von Meta schreibt Ihnen auf Instagram. Angeblich haben Sie gegen das Urheberrecht verstoßen. Sie werden aufgefordert, ein Widerrufsformular auszufüllen, sonst wird das Konto gesperrt. Der Link zum Formular befindet sich gleich in der Nachricht. Vorsicht: Diese Nachricht ist Fake. Kriminelle stehlen Ihre Zugangsdaten und erpressen Sie im Anschluss.
https://www.watchlist-internet.at/news/instagram-vorsicht-vor-gefaelschter-meta-nachricht/
Varonis warnt vor nicht mehr genutzten Salesforce-Sites
Sicherheitsforscher von Varonis sind auf ein Problem in Verbindung mit Salesforce-Sites gestoßen, die verwaist sind und nicht mehr genutzt werden. Die Sicherheitsforscher der Varonis Threat Labs haben entdeckt, dass unsachgemäß deaktivierte Salesforce-Sites, sogenannte Ghost Sites, weiterhin aktuelle Daten abrufen und für Angreifer zugänglich sind: Durch Manipulation des Host-Headers können Cyberkriminelle Zugang zu sensiblen personenbezogenen Daten und Geschäftsinformationen erhalten.
https://www.borncity.com/blog/2023/06/10/varonis-warnt-vor-nicht-mehr-genutzten-salesforce-sites/
OAuth2 Security Best Current Practices
Die IETF hat zum 6. Juni 2023 ein Dokument "OAuth2 Security Best Current Practices" aktualisiert. Das Dokument beschreibt die derzeit beste Sicherheitspraxis für OAuth 2.0. Es aktualisiert und erweitert das OAuth 2.0-Sicherheitsbedrohungsmodell.
https://www.borncity.com/blog/2023/06/11/oauth2-security-best-current-practices/
Vulnerabilities
Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability
A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ac-csc-privesc-wx4U4Kw
Security updates for Monday
Security updates have been issued by Debian (pypdf2 and thunderbird), Fedora (chromium, dbus, mariadb, matrix-synapse, sympa, and thunderbird), Scientific Linux (python and python3), SUSE (chromium, gdb, and openldap2), and Ubuntu (jupyter-core, requests, sssd, and vim).
https://lwn.net/Articles/934456/
WordPress Theme Workreap 2.2.2 Unauthenticated Upload Leading to Remote Code Execution
https://cxsecurity.com/issue/WLB-2023060012
ASUS Router RT-AX3000 vulnerable to using sensitive cookies without Secure attribute
https://jvn.jp/en/jp/JVN34232595/
Security Vulnerabilities fixed in Thunderbird 102.12
https://www.mozilla.org/en-US/security/advisories/mfsa2023-21/
This Power System update is being released to address CVE-2023-25683
https://www.ibm.com/support/pages/node/7002721
IBM Content Navigator is vulnerable to DoS due to Apache Commons FileUpload (CVE-2023-24998)
https://www.ibm.com/support/pages/node/7002807
IBMid credentials may be exposed when directly downloading code onto IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Spectrum Virtualize products [CVE-2023-27870]
https://www.ibm.com/support/pages/node/6985697
Vulnerability in requests-2.27.1.tar.gz affects IBM Integrated Analytics System [CVE-2023-32681]
https://www.ibm.com/support/pages/node/7003185
Vulnerability in bottle-0.12.16 affects IBM Integrated Analytics System [CVE-2020-28473]
https://www.ibm.com/support/pages/node/7003195
Vulnerability in bottle-0.12.16 affects IBM Integrated Analytics System [CVE-2022-31799]
https://www.ibm.com/support/pages/node/7003201
Vulnerability in certifi-2018.4.16 affects IBM Integrated Analytics System [ CVE-2022-23491]
https://www.ibm.com/support/pages/node/7003205
IBM Cloud Kubernetes Service is affected by two containerd security vulnerabilities (CVE-2023-28642) (CVE-2023-27561)
https://www.ibm.com/support/pages/node/7001317
Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights
https://www.ibm.com/support/pages/node/7000903
IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867)
https://www.ibm.com/support/pages/node/7003247
IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867)
https://www.ibm.com/support/pages/node/7003245
IBM App Connect Enterprise Certified Container operands that use the Snowflake connector are vulnerable to arbitrary code execution due to [CVE-2023-34232]
https://www.ibm.com/support/pages/node/7003259
IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to arbitrary code execution due to PostgreSQL (CVE-2023-2454)
https://www.ibm.com/support/pages/node/7003279