Tageszusammenfassung - 16.06.2023

End-of-Day report

Timeframe: Donnerstag 15-06-2023 18:00 - Freitag 16-06-2023 18:00 Handler: Robert Waldner Co-Handler: n/a

News

Another RAT Delivered Through VBS, (Fri, Jun 16th)

VBS looks popular these days. After the last Didier's diary, I found another interesting script. It started with an email that referenced a fake due invoice. The invoice icon pointed to a URL. Usually, such URLs display a fake login page asking for credentials. Not this time.

https://isc.sans.edu/diary/rss/29956


Demystifying Website Hacktools: Types, Threats, and Detection

When we think about website malware, visible infection symptoms most often come to mind: unwanted ads or pop-ups, redirects to third party sites, or spam keywords in search results. However, in some cases these very symptoms are the results of hacktools, a diverse and often insidious category of software designed to exploit vulnerabilities and compromise website security.

https://blog.sucuri.net/2023/06/demystifying-website-hacktools-types-threats-and-detection.html


ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC

The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actors capabilities.The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS (DoH) tunneling.

https://thehackernews.com/2023/06/chameldoh-new-linux-backdoor-utilizing.html

Vulnerabilities

FortiOS & FortiProxy: authenticated user null pointer dereference in SSL-VPN

A NULL pointer dereference vulnerability in SSL-VPN may allow an authenticated remote attacker to trigger a crash of the SSL-VPN service via crafted requests. CVE: CVE-2023-33306

https://fortiguard.fortinet.com/psirt/FG-IR-23-015


Microsoft ODBC and OLE DB Remote Code Execution Vulnerability

An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via a connection driver (for example: ODBC and / or OLEDB as applicable).

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349


Microsoft OLE DB Remote Code Execution Vulnerability

An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028


Security updates for Friday

Security updates have been issued by Debian (chromium, openjdk-17, and wireshark), Fedora (iniparser, mariadb, mingw-glib2, perl-HTML-StripScripts, php, python3.7, and syncthing), Oracle (.NET 6.0, c-ares, kernel, nodejs, and python3.9), Slackware (libX11), SUSE (amazon-ssm-agent and chromium), and Ubuntu (gsasl, libx11, and sssd).

https://lwn.net/Articles/934939/


Mattermost security updates 7.10.3 / 7.9.5 / 7.8.7 (ESR) released

We-re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities.

https://mattermost.com/blog/mattermost-security-updates-7-10-3-7-9-5-7-8-7-esr-released/


Weitere kritische Sicherheitslücke in MOVEit Transfer - Workaround und Patches verfügbar

In MOVEit Transfer wurde eine weitere kritische Sicherheitslücke entdeckt. Auswirkungen Da es sich um eine SQL-Injection - Schwachstelle handelt, ist davon auszugehen dass alle auf betroffenen Systemen hinterlegten Daten gefährdet sind.

https://cert.at/de/warnungen/2023/6/weitere-kritische-sicherheitslucke-in-moveit-transfer-workaround-und-patches-verfugbar


CISA Releases Fourteen Industrial Control Systems Advisories

* SUBNET PowerSYSTEM Center * Advantech WebAccessSCADA * Siemens SICAM Q200 Devices * Siemens SIMOTION * Siemens SIMATIC WinCC * Siemens TIA Portal * Siemens SIMATIC WinCC V7 * Siemens SIMATIC STEP 7 and Derived Products * Siemens Solid Edge * Siemens SIMATIC S7-1500 TM MFP BIOS * Siemens SIMATIC S7-1500 TM MFP Linux Kernel * Siemens SINAMICS Medium Voltage Products * Siemens SICAM A8000 Devices * Siemens Teamcenter Visualization and JT2Go

https://www.cisa.gov/news-events/alerts/2023/06/15/cisa-releases-fourteen-industrial-control-systems-advisories


Multiple vulnerabilities in Panasonic AiSEG2

https://jvn.jp/en/jp/JVN19748237/


ZDI-23-879: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-879/


ZDI-23-878: (0Day) Ashlar-Vellum Cobalt AR File Parsing Uninitialized Memory Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-878/


ZDI-23-877: (0Day) Ashlar-Vellum Cobalt IGS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-877/


ZDI-23-876: (0Day) Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-876/


ZDI-23-875: (0Day) Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-875/


ZDI-23-874: (0Day) Ashlar-Vellum Cobalt XE File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-874/


ZDI-23-873: (0Day) Ashlar-Vellum Cobalt Stack-based Buffer Overflow Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-873/


ZDI-23-872: (0Day) Ashlar-Vellum Cobalt Heap-based Buffer Overflow Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-872/


ZDI-23-871: (0Day) Ashlar-Vellum Cobalt Untrusted Pointer Dereference Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-871/


ZDI-23-870: (0Day) Ashlar-Vellum Cobalt Uninitialized Memory Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-870/


ZDI-23-869: (0Day) Ashlar-Vellum Cobalt Untrusted Pointer Dereference Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-869/


ZDI-23-868: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-868/


ZDI-23-867: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-867/


ZDI-23-866: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-866/


ZDI-23-865: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Write Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-865/


ZDI-23-864: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Access Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-864/


ZDI-23-863: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Read Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-863/


ZDI-23-862: (0Day) Ashlar-Vellum Cobalt CO File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-862/


ZDI-23-861: (0Day) Ashlar-Vellum Cobalt CO File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-861/


ZDI-23-860: (0Day) Ashlar-Vellum Cobalt XE File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-860/


ZDI-23-859: (0Day) Ashlar-Vellum Cobalt CO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-23-859/


CVE-2023-32027 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027


CVE-2023-29356 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356


CVE-2023-32025 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025


CVE-2023-32026 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026


Multiple vulnerabilities in Curl affect PowerSC

https://www.ibm.com/support/pages/node/7004263


There is a security vulnerability in AWS SDK for Java used by Maximo Asset Management (CVE-2022-31159)

https://www.ibm.com/support/pages/node/7002345


IBM SPSS Modeler is vulnerabile to SSL private key exposure (CVE-2023-33842)

https://www.ibm.com/support/pages/node/7004299


Vulnerability of xmlbeans-2.6.0.jar has affected APM DataPower agent.

https://www.ibm.com/support/pages/node/7004599


Vulnerabilities of Apache commons codec (commons-codec-1.6.jar) have affected APM NetApp Storage and APM File Gateway Agent

https://www.ibm.com/support/pages/node/7004597


IBM Cloud Pak for Security includes components with multiple known vulnerabilities

https://www.ibm.com/support/pages/node/7004655


IBM Cloud Pak for Security includes components with multiple known vulnerabilities

https://www.ibm.com/support/pages/node/7004653