End-of-Day report
Timeframe: Donnerstag 15-06-2023 18:00 - Freitag 16-06-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Another RAT Delivered Through VBS, (Fri, Jun 16th)
VBS looks popular these days. After the last Didier's diary, I found another interesting script. It started with an email that referenced a fake due invoice. The invoice icon pointed to a URL. Usually, such URLs display a fake login page asking for credentials. Not this time.
https://isc.sans.edu/diary/rss/29956
Demystifying Website Hacktools: Types, Threats, and Detection
When we think about website malware, visible infection symptoms most often come to mind: unwanted ads or pop-ups, redirects to third party sites, or spam keywords in search results. However, in some cases these very symptoms are the results of hacktools, a diverse and often insidious category of software designed to exploit vulnerabilities and compromise website security.
https://blog.sucuri.net/2023/06/demystifying-website-hacktools-types-threats-and-detection.html
ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC
The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actors capabilities.The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS (DoH) tunneling.
https://thehackernews.com/2023/06/chameldoh-new-linux-backdoor-utilizing.html
Vulnerabilities
FortiOS & FortiProxy: authenticated user null pointer dereference in SSL-VPN
A NULL pointer dereference vulnerability in SSL-VPN may allow an authenticated remote attacker to trigger a crash of the SSL-VPN service via crafted requests.
CVE: CVE-2023-33306
https://fortiguard.fortinet.com/psirt/FG-IR-23-015
Microsoft ODBC and OLE DB Remote Code Execution Vulnerability
An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via a connection driver (for example: ODBC and / or OLEDB as applicable).
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349
Microsoft OLE DB Remote Code Execution Vulnerability
An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028
Security updates for Friday
Security updates have been issued by Debian (chromium, openjdk-17, and wireshark), Fedora (iniparser, mariadb, mingw-glib2, perl-HTML-StripScripts, php, python3.7, and syncthing), Oracle (.NET 6.0, c-ares, kernel, nodejs, and python3.9), Slackware (libX11), SUSE (amazon-ssm-agent and chromium), and Ubuntu (gsasl, libx11, and sssd).
https://lwn.net/Articles/934939/
Mattermost security updates 7.10.3 / 7.9.5 / 7.8.7 (ESR) released
We-re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities.
https://mattermost.com/blog/mattermost-security-updates-7-10-3-7-9-5-7-8-7-esr-released/
Weitere kritische Sicherheitslücke in MOVEit Transfer - Workaround und Patches verfügbar
In MOVEit Transfer wurde eine weitere kritische Sicherheitslücke entdeckt. Auswirkungen Da es sich um eine SQL-Injection - Schwachstelle handelt, ist davon auszugehen dass alle auf betroffenen Systemen hinterlegten Daten gefährdet sind.
https://cert.at/de/warnungen/2023/6/weitere-kritische-sicherheitslucke-in-moveit-transfer-workaround-und-patches-verfugbar
CISA Releases Fourteen Industrial Control Systems Advisories
* SUBNET PowerSYSTEM Center
* Advantech WebAccessSCADA
* Siemens SICAM Q200 Devices
* Siemens SIMOTION
* Siemens SIMATIC WinCC
* Siemens TIA Portal
* Siemens SIMATIC WinCC V7
* Siemens SIMATIC STEP 7 and Derived Products
* Siemens Solid Edge
* Siemens SIMATIC S7-1500 TM MFP BIOS
* Siemens SIMATIC S7-1500 TM MFP Linux Kernel
* Siemens SINAMICS Medium Voltage Products
* Siemens SICAM A8000 Devices
* Siemens Teamcenter Visualization and JT2Go
https://www.cisa.gov/news-events/alerts/2023/06/15/cisa-releases-fourteen-industrial-control-systems-advisories
Multiple vulnerabilities in Panasonic AiSEG2
https://jvn.jp/en/jp/JVN19748237/
ZDI-23-879: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-879/
ZDI-23-878: (0Day) Ashlar-Vellum Cobalt AR File Parsing Uninitialized Memory Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-878/
ZDI-23-877: (0Day) Ashlar-Vellum Cobalt IGS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-877/
ZDI-23-876: (0Day) Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-876/
ZDI-23-875: (0Day) Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-875/
ZDI-23-874: (0Day) Ashlar-Vellum Cobalt XE File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-874/
ZDI-23-873: (0Day) Ashlar-Vellum Cobalt Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-873/
ZDI-23-872: (0Day) Ashlar-Vellum Cobalt Heap-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-872/
ZDI-23-871: (0Day) Ashlar-Vellum Cobalt Untrusted Pointer Dereference Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-871/
ZDI-23-870: (0Day) Ashlar-Vellum Cobalt Uninitialized Memory Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-870/
ZDI-23-869: (0Day) Ashlar-Vellum Cobalt Untrusted Pointer Dereference Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-869/
ZDI-23-868: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-868/
ZDI-23-867: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-867/
ZDI-23-866: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-866/
ZDI-23-865: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Write Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-865/
ZDI-23-864: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Access Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-864/
ZDI-23-863: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Read Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-863/
ZDI-23-862: (0Day) Ashlar-Vellum Cobalt CO File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-862/
ZDI-23-861: (0Day) Ashlar-Vellum Cobalt CO File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-861/
ZDI-23-860: (0Day) Ashlar-Vellum Cobalt XE File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-860/
ZDI-23-859: (0Day) Ashlar-Vellum Cobalt CO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-859/
CVE-2023-32027 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027
CVE-2023-29356 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356
CVE-2023-32025 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025
CVE-2023-32026 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026
Multiple vulnerabilities in Curl affect PowerSC
https://www.ibm.com/support/pages/node/7004263
There is a security vulnerability in AWS SDK for Java used by Maximo Asset Management (CVE-2022-31159)
https://www.ibm.com/support/pages/node/7002345
IBM SPSS Modeler is vulnerabile to SSL private key exposure (CVE-2023-33842)
https://www.ibm.com/support/pages/node/7004299
Vulnerability of xmlbeans-2.6.0.jar has affected APM DataPower agent.
https://www.ibm.com/support/pages/node/7004599
Vulnerabilities of Apache commons codec (commons-codec-1.6.jar) have affected APM NetApp Storage and APM File Gateway Agent
https://www.ibm.com/support/pages/node/7004597
IBM Cloud Pak for Security includes components with multiple known vulnerabilities
https://www.ibm.com/support/pages/node/7004655
IBM Cloud Pak for Security includes components with multiple known vulnerabilities
https://www.ibm.com/support/pages/node/7004653