End-of-Day report
Timeframe: Montag 10-07-2023 18:00 - Dienstag 11-07-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
News
Exploit für Root-Lücke in VMware Aria Operations for Logs aufgetaucht
Teils kritische Sicherheitslücken in VMware Aria Operations for Logs stopfen Updates aus dem April. Jetzt ist Exploit-Code aufgetaucht, der eine Lücke angreift.
https://heise.de/-9212276
Fake-E-Mail einer EU-Förderung über 850.000 Euro im Umlauf
Aktuell kursiert ein gefälschtes E-Mail über eine EU-Förderung von 850.000 Euro. Der Zuschuss wurde angeblich für Unternehmen, Start-ups und Einzelpersonen mit innovativen Ideen entwickelt. Wer das Geld beantragen will, muss persönliche Daten an eine E-Mail-Adresse senden. Das Angebot ist aber Fake, antworten Sie nicht und verschieben Sie das E-Mail in Ihren Spam-Ordner.
https://www.watchlist-internet.at/news/fake-e-mail-einer-eu-foerderung-ueber-850000-euro-im-umlauf/
Roots of Trust are difficult
The phrase "Root of Trust" turns up at various points in discussions about verified boot and measured boot, and to a first approximation nobody is able to give you a coherent explanation of what it means[1]. The Trusted Computing Group has a fairly wordy definition, but (a) its a lot of words and (b) I dont like it, so instead Im going to start by defining a root of trust as "A thing that has to be trustworthy for anything else on your computer to be trustworthy".
https://mjg59.dreamwidth.org/66907.html
It-s Raining Phish and Scams - How Cloudflare Pages.dev and Workers.dev Domains Get Abused
As they say, when it rains, it pours. Recently, we observed more than 3,000 phishing emails containing phishing URLs abusing services at workers.dev and pages.dev domains.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/its-raining-phish-and-scams-how-cloudflare-pages-dev-and-workers-dev-domains-get-abused/
Critical Foswiki Vulnerablities: A Logic Error Turned Remote Code Execution
We love open-source software. In context of our mission #moresecurity, Christian Pöschl, security consultant and penetration tester at usd HeroLab had a look at Foswiki as a research project. In this blog post, we summarize the journey to discover the functionality of Foswiki and identify multiple vulnerabilities, which ultimately allowed us to elevate privileges from a freshly registered user to full remote code execution on the server. All vulnerabilities were reported to the developers according to our Responsible Disclosure Policy.
https://herolab.usd.de/en/critical-foswiki-vulnerablities-a-logic-error-turned-remote-code-execution/
Cybercriminals Evolve Antidetect Tooling for Mobile OS-Based Fraud
Cybercriminals continue to evolve their tactics, techniques, and procedures (TTPs) to defraud the customers of online banking, payment systems, advertising networks, and online marketplaces worldwide. Resecurity has observed a rising trend involving threat actors increased use of specialized mobile Android OS device spoofing tools. These tools enable fraudsters to impersonate compromised account holders and bypass anti-fraud controls effectively.
https://www.resecurity.com/blog/article/cybercriminals-evolve-antidetect-tooling-for-mobile-os-based-fraud
Lowering the Bar(d)? Check Point Research-s security analysis spurs concerns over Google Bard-s limitations
Check Point Research (CPR) releases an analysis of Google-s generative AI platform -Bard-, surfacing several scenarios where the platform permits cybercriminals- malicious efforts. Check Point Researchers were able to generate phishing emails, malware keyloggers and basic ransomware code.
https://blog.checkpoint.com/security/lowering-the-bard-check-point-researchs-security-analysis-spurs-concerns-over-google-bards-limitations/
MISP 2.4.173 released with various bugfixes and improvements
We have added a new functionality allowing administrators to enable user self-service for forgotten passwords. When enabled, users will have an additional link below the login screen, allowing them to enter their e-mails and receive a token that can be used to reset their passwords.
https://github.com/MISP/MISP/releases/tag/v2.4.173
Unveiling the secrets: Exploring whitespace steganography for secure communication
In the realm of data security, there exists a captivating technique known as whitespace steganography. Unlike traditional methods of encryption, whitespace steganography allows for the hiding of sensitive information within whitespace characters, such as spaces, tabs, and line breaks.
https://cybersecurity.att.com/blogs/security-essentials/unveiling-the-secrets-exploring-whitespace-steganography-for-secure-communication
Defend Against the Latest Active Directory Certificate Services Threats
To help security professionals understand the complexities of AD CS and how to mitigate its abuse, Mandiant has published a hardening guide that focuses on the most impactful AD CS attack techniques and abuse scenarios we are seeing on the frontlines of the latest breaches and attacks.
https://www.mandiant.com/blog/resources/defend-ad-cs-threats
Vulnerabilities
Zero-Day für Safari geschlossen - Update: Zurückgezogen
Apple hat Montagabend eine schnelle Aktualisierung für seinen Browser ausgespielt. Betroffen von der offenbar bereits ausgenutzten Lücke: Macs und Mobilgeräte. [...] Apple hat die RSR-Updates für Mac, iPhone und iPad mittlerweile zurückgezogen. Grund ist offenbar, dass es verschiedene Websites gab, die nach dem Update Warnmeldungen ausspucken, dass der aktualisierte Safari-Browser "nicht mehr" unterstützt werde. Apple hat im User-Agent-String ein
https://heise.de/-9212228
Patchday: SAP warnt vor 16 Sicherheitslücken in der Business-Software
Am Juli-Patchday hat SAP 16 Sicherheitsmeldungen zur Geschäfts-Software aus dem Unternehmen veröffentlicht. Updates dichten auch eine kritische Lücke ab.
https://heise.de/-9213319
ABB: 2023-02-10 (**Updated 2023-07-10**) - Cyber Security Advisory - Drive Composer multiple vulnerabilities
Updated to reflect the latest version 2.8.2 of Drive Composer (both Entry and pro) where vulnerability CVE-2022-35737 has been resolved. Originally this vulnerability had not been resolved when this advisory was published alongside Drive Composer 2.8.1.
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A7957
Siemens Security Advisories
Siemens has released 5 new and 12 updated Security Advisories. (CVSS Scores ranging from 5.3 to 10)
https://new.siemens.com/global/en/products/services/cert.html?d=2023-07
Security updates for Tuesday
Security updates have been issued by Debian (mediawiki and node-tough-cookie), Red Hat (bind, kernel, kpatch-patch, and python38:3.8, python38-devel:3.8), SUSE (kernel, nextcloud-desktop, and python-tornado), and Ubuntu (dwarves-dfsg and thunderbird).
https://lwn.net/Articles/937879/
CVE-2023-29298: Adobe ColdFusion Access Control Bypass
Rapid7 discovered an access control bypass vulnerability affecting Adobe ColdFusion that allows an attacker to access the administration endpoints.
https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/
Technicolor: VU#913565: Hard-coded credentials in Technicolor TG670 DSL gateway router
https://kb.cert.org/vuls/id/913565
Mozilla: Security Vulnerabilities fixed in Firefox 115.0.2 and Firefox ESR 115.0.2
https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/
Lenovo: NVIDIA Display Driver Advisory - June 2023
http://support.lenovo.com/product_security/PS500566-NVIDIA-DISPLAY-DRIVER-ADVISORY-JUNE-2023
Panasonic Control FPWin Pro7
https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-03
Rockwell Automation Enhanced HIM
https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-01
-Sensormatic Electronics iSTAR
https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-02
TADDM affected by multiple vulnerabilities due to IBM Java and its runtime
https://www.ibm.com/support/pages/node/7009499
IBM Db2 with Federated configuration is vulnerable to arbitrary code execution. (CVE-2023-35012)
https://www.ibm.com/support/pages/node/7010747
IBM Robotic Process Automation is vulnerable to disclosure of server version information (CVE-2023-35900)
https://www.ibm.com/support/pages/node/7010895
IBM Sterling Connect:Express for UNIX browser UI is vulnerable to attacks that rely on the use of cookies without the SameSite attribute
https://www.ibm.com/support/pages/node/7010921
IBM Sterling Connect:Express for UNIX is vulnerable to server-side request forgery (SSRF)
https://www.ibm.com/support/pages/node/7010923
IBM Sterling Connect:Express uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
https://www.ibm.com/support/pages/node/7010925
Vulnerability of System.Text.Encodings.Web.4.5.0 .dll has afftected to .NET Agent
https://www.ibm.com/support/pages/node/7010945
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Python
https://www.ibm.com/support/pages/node/7011035
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Perl
https://www.ibm.com/support/pages/node/7011033
IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to GNU Libtasn1 information disclosure vulnerability [CVE-2021-46848]
https://www.ibm.com/support/pages/node/7011037
Vulnerabilities have been identified in OpenSSL, Apache HTTP Server and other system libraries shipped with the DS8000 Hardware Management Console (HMC)
https://www.ibm.com/support/pages/node/7006449