End-of-Day report
Timeframe: Mittwoch 21-06-2023 18:00 - Donnerstag 22-06-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Mirai is a still-active botnet with new variants. We highlight observed exploitation of IoT vulnerabilities - due to low complexity and high impact.
https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
Alert: Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack
Millions of software repositories on GitHub are likely vulnerable to an attack called RepoJacking, a new study has revealed. This includes repositories from organizations such as Google, Lyft, and several others, Massachusetts-based cloud-native security firm Aqua said in a Wednesday report.
https://thehackernews.com/2023/06/alert-million-of-github-repositories.html
LibreOffice Arbitrary File Write (CVE-2023-1883)
While performing a cursory inspection of the LibreOffice Base desktop database, we stumbled across an (arbitrary) file write issue. The fine folks at LibreOffice immediately addressed the vulnerability.
https://secfault-security.com/blog/libreoffice.html
Virenschutz: Avast dreht alten Scannern Signaturnachschub ab
Avast beendet die Unterstützung älterer Virenscanner. Die Versionen Avast 9, 10 und 11 erhalten ab Sommerende keine Updates mehr, auch keine neuen Signaturen.
https://heise.de/-9194464
PoC-Exploit für Cisco AnyConnect-Schwachstelle CVE-2023-20178 ermöglicht SYSTEM-Privilegien
In der Cisco AnyConnect Secure Mobility Client Software gibt es eine Schwachstelle, über die Angreifer sich SYSTEM-Privilegien unter Windows verschaffen können. Nun ist ein Proof of Concept für einen Exploit zum Ausnutzen dieser Schwachstelle (CVE-2023-20178) verfügbar.
https://www.borncity.com/blog/2023/06/22/poc-exploit-fr-cisco-anyconnect-schwachstelle-cve-2023-20178-ermglicht-system-privilegien/
Vulnerabilities
iOS 16.5.1 & Co: Apple beseitigt Zero-Day-Lücken in allen Systemen
Die gravierenden Schwachstellen wurden offenbar ausgenutzt, um Überwachungs-Tools auf Apple-Hardware einzuschleusen. Patches gibt es auch für ältere Hardware.
https://heise.de/-9194404
VMSA-2023-0014
The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.
https://www.vmware.com/security/advisories/VMSA-2023-0014.html
Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites
A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin thats installed on more than 30,000 websites.
https://thehackernews.com/2023/06/critical-flaw-found-in-wordpress-plugin.html
Security updates for Thursday
Security updates have been issued by Debian (avahi, hsqldb, hsqldb1.8.0, minidlna, trafficserver, and xmltooling), Oracle (.NET 6.0, .NET 7.0, 18, c-ares, firefox, kernel, less, libtiff, libvirt, python, python3.11, texlive, and thunderbird), Red Hat (c-ares, kernel, kernel-rt, kpatch-patch, less, libtiff, libvirt, openssl, and postgresql), Slackware (bind and kernel), SUSE (bluez, curl, geoipupdate, kernel, netty, netty-tcnative, ntp, open-vm-tools, php8, python-reportlab, rustup, Salt, salt, terraform-provider-aws, terraform-provider-null, and webkit2gtk3), and Ubuntu (bind9, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-oracle, and linux-ibm).
https://lwn.net/Articles/935872/
CISA Adds Six Known Exploited Vulnerabilities to Catalog
CVE-2023-20887 VMware Aria Operations for Networks Command Injection Vulnerability
CVE-2020-35730 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability
CVE-2020-12641 Roundcube Webmail Remote Code Execution Vulnerability
CVE-2021-44026 Roundcube Webmail SQL Injection Vulnerability
CVE-2016-9079 Mozilla Firefox, Firefox ESR, and Thunderbird Use-After-Free Vulnerability
CVE-2016-0165 Microsoft Win32k Privilege Escalation Vulnerability
https://www.cisa.gov/news-events/alerts/2023/06/22/cisa-adds-six-known-exploited-vulnerabilities-catalog
IBM Security Bulletins
IBM App Connect Enterprise, IBM Security Directory Integrator, IBM Security QRadar SIEM, CICS TX, IBM InfoSphere Information Server, IBM MQ, IBM Integration Bus for z/OS, IBM Spectrum Protect, IBM Robotic Process Automation.
https://www.ibm.com/support/pages/bulletin/
ZDI-23-891: (0Day) ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-23-891/
Drupal: Album Photos - Critical - Access bypass - SA-CONTRIB-2023-022
https://www.drupal.org/sa-contrib-2023-022
Drupal: Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021
https://www.drupal.org/sa-contrib-2023-021
Cisco Duo Two-Factor Authentication for macOS Authentication Bypass Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-mac-bypass-OyZpVPnx
Cisco Secure Email Gateway, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Cross-Site Scripting Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-sma-wsa-xss-cP9DuEmq
BIND 9: CVE-2023-2828: nameds configured cache size limit can be significantly exceeded
https://kb.isc.org/docs/cve-2023-2828
BIND 9: CVE-2023-2829: Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled
https://kb.isc.org/docs/cve-2023-2829
BIND 9: CVE-2023-2911: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0
https://kb.isc.org/docs/cve-2023-2911
F5: K000134942 : Intel CPU vulnerability CVE-2022-33972
https://my.f5.com/manage/s/article/K000134942
SpiderControl SCADAWebServer
https://www.cisa.gov/news-events/ics-advisories/icsa-23-173-03
Advantech R-SeeNet
https://www.cisa.gov/news-events/ics-advisories/icsa-23-173-02
Nextcloud: End-to-End encrypted file-drops can be made inaccessible
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x7c7-v5r3-mg37
Nextcloud: Password reset endpoint is not brute force protected
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6
Nextcloud: Open redirect on "Unsupported browser" warning
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h353-vvwv-j2r4
Nextcloud: Brute force protection allows to send more requests than intended
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qphh-6xh7-vffg
Nextcloud: User scoped external storage can be used to gather credentials of other users
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h
Nextcloud: System addressbooks can be modified by malicious trusted server
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7f7-535f-7q87