Tageszusammenfassung - 12.07.2023

End-of-Day report

Timeframe: Dienstag 11-07-2023 18:00 - Mittwoch 12-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Patchday: Microsoft meldet fünf Zero-Days, teils ohne Update

Der Juli-Patchday von Microsoft liefert viele Updates: 130 Lücken behandelt das Unternehmen. Darunter fünf Zero-Days. Eine Sicherheitslücke bleibt aber offen.

https://heise.de/-9213685

Teils kritische Sicherheitslücken in Citrix Secure Access Clients

Citrix hat Aktualisierungen für die Secure Access Clients veröffentlicht, die teils kritische Schwachstellen ausbessern.

https://heise.de/-9214076

Update gegen kritische Lücke in FortiOS/FortiProxy

Fortinet verteilt Sicherheitsupdates für FortiOS/FortiProxy. Sie schließen eine kritische Sicherheitslücke.

https://heise.de/-9214207

Patchday: Kritische Schwachstellen in Adobe Indesign und Coldfusion abgedichtet

Der Juli-Patchday von Adobe bringt Sicherheitsupdates für Indesign und Coldfusion. Sie schließen Lücken, die der Hersteller als kritisches Risiko einstuft.

https://heise.de/-9213920

Kernel-Treiber: Hacker überlisten Windows-Richtlinie durch alte Zertifikate

Indem sie ihre böswilligen Kerneltreiber mit alten Zertifikaten signierten, konnten Angreifer auf Windows-Systemen Vollzugriff erlangen.

https://www.golem.de/news/kernel-treiber-hacker-ueberlisten-windows-richtlinie-durch-alte-zertifikate-2307-175784.html

vm2 Project Discontinued

TL;DR The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm.

https://github.com/patriksimek/vm2/blob/master/README.md

How to Harden WordPress With WP-Config & Avoid Data Exposure

What is wp-config.php?The wp-config.php file is a powerful core WordPress file that is vital for running your website. It contains important configuration settings for WordPress, including details on where to find the database, login credentials, name and host. This config file is also used to define advanced options for database elements, security keys, and developer options. In this post, we-ll outline some important website hardening recommendations for your wp-config file [...]

https://blog.sucuri.net/2023/07/tips-for-wp-config-how-to-avoid-sensitive-data-exposure.html

Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining

A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal. "The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique," security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said.

https://thehackernews.com/2023/07/python-based-pyloose-fileless-attack.html

Dissecting a Clever Malware Sample for Optimized Detection and Protection

As part of our product lineup, we offer security monitoring and malware removal services to our Wordfence Care and Response customers. In case of a security incident, our incident response team will investigate the root cause, find and remove malware from your site, and help with other complications that may arise as a result of [...]

https://www.wordfence.com/blog/2023/07/dissecting-a-clever-malware-sample-for-optimized-detection-and-protection/

Qbot, Guloader und SpinOk führen Mobile Malware-Ranking an

Bedrohungsindex von Checkpoint für Juni 2023 zeigt: Qbot ist noch immer die am meisten verbreitete Malware in Deutschland.

https://www.zdnet.de/88410517/qbot-guloader-und-spinok-fuehren-mobile-malware-ranking-an/

Security Flaws unraveled in Popular QuickBlox Chat and Video Framework could exposed sensitive data of millions

Check Point Research (CPR) in collaboration with Claroty Team82 uncovered major security vulnerabilities in the popular QuickBlox platform, used for telemedicine, finance and smart IoT devices If exploited, the vulnerabilities could allow threat actors to access applications- user databases and expose sensitive data of millions. QuickBlox worked closely with Team82 and CPR to address our disclosure and has fixed the vulnerabilities via a new secure architecture design [...]

https://blog.checkpoint.com/security/security-flaws-unraveled-in-popular-quickblox-chat-and-video-framework-could-exposed-sensitive-data-of-millions/

The Spies Who Loved You: Infected USB Drives to Steal Secrets

In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally.

https://www.mandiant.com/resources/blog/infected-usb-steal-secrets

CISA and FBI Release Cybersecurity Advisory on Enhanced Monitoring to Detect APT Activity Targeting Outlook Online

The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments.

https://www.cisa.gov/news-events/alerts/2023/07/12/cisa-and-fbi-release-cybersecurity-advisory-enhanced-monitoring-detect-apt-activity-targeting

Vulnerabilities

FortiOS/FortiProxy - Proxy mode with deep inspection - Stack-based buffer overflow

A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. Workaround: Disable deep inspection on proxy policies or firewall policies with proxy mode.

https://fortiguard.fortinet.com/psirt/FG-IR-23-183

FortiAnalyzer & FortiManager - Path traversal in history downloadzip

An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.

https://fortiguard.fortinet.com/psirt/FG-IR-22-471

FortiExtender - Path Traversal vulnerability

An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-22] in FortiExtender management interface may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests.

https://fortiguard.fortinet.com/psirt/FG-IR-22-039

FortiOS - Existing websocket connection persists after deleting API admin

An insufficient session expiration [CWE-613] vulnerability in FortiOS REST API may allow an attacker to reuse the session of a deleted user, should the attacker manage to obtain the API token.

https://fortiguard.fortinet.com/psirt/FG-IR-23-028

Interesting Arbitrary File Upload Vulnerability Patched in User Registration WordPress Plugin

On June 19, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Arbitrary File Upload vulnerability in WPEverest-s User Registration plugin, which is actively installed on more than 60,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker with minimal permissions, such as a subscriber, to upload [...]

https://www.wordfence.com/blog/2023/07/interesting-arbitrary-file-upload-vulnerability-patched-in-user-registration-wordpress-plugin/

Security updates for Wednesday

Security updates have been issued by Debian (erlang, symfony, thunderbird, and yajl), Fedora (cutter-re, kernel, rizin, and yt-dlp), Red Hat (grafana), SUSE (kernel and python-Django), and Ubuntu (dotnet6, dotnet7 and firefox).

https://lwn.net/Articles/937972/

ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities

ICS Patch Tuesday: Siemens and Schneider Electric release nine new security advisories and fix 50 vulnerabilities in their industrial products.

https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-fix-50-vulnerabilities/

Mattermost security updates 7.10.4 / 7.9.6 / 7.8.8 (ESR) released

We-re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.10.4, 7.9.6 and 7.8.8 (Extended Support Release), for both Team Edition and Enterprise Edition.

https://mattermost.com/blog/mattermost-security-updates-7-10-4-7-9-6-7-8-8-esr-released/

Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. Juli 2023)

Zum 11. Juli 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1 installieren). Hier ein Überblick über diese Updates

https://www.borncity.com/blog/2023/07/12/windows-7-server-2008-r2-server-2012-r2-updates-11-juli-2023/

Sandbox Escape

In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.

https://github.com//patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4

Sandbox Escape

In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code.

https://github.com//patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5

Tageszusammenfassung - 12.07.2023

End-of-Day report

News

Patchday: Microsoft meldet fünf Zero-Days, teils ohne Update

Teils kritische Sicherheitslücken in Citrix Secure Access Clients

Update gegen kritische Lücke in FortiOS/FortiProxy

Patchday: Kritische Schwachstellen in Adobe Indesign und Coldfusion abgedichtet

Kernel-Treiber: Hacker überlisten Windows-Richtlinie durch alte Zertifikate

vm2 Project Discontinued

How to Harden WordPress With WP-Config & Avoid Data Exposure

Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining

Dissecting a Clever Malware Sample for Optimized Detection and Protection

Qbot, Guloader und SpinOk führen Mobile Malware-Ranking an

Security Flaws unraveled in Popular QuickBlox Chat and Video Framework could exposed sensitive data of millions

The Spies Who Loved You: Infected USB Drives to Steal Secrets

CISA and FBI Release Cybersecurity Advisory on Enhanced Monitoring to Detect APT Activity Targeting Outlook Online

Vulnerabilities

FortiOS/FortiProxy - Proxy mode with deep inspection - Stack-based buffer overflow

FortiAnalyzer & FortiManager - Path traversal in history downloadzip

FortiExtender - Path Traversal vulnerability

FortiOS - Existing websocket connection persists after deleting API admin

Interesting Arbitrary File Upload Vulnerability Patched in User Registration WordPress Plugin

Security updates for Wednesday

ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities

Mattermost security updates 7.10.4 / 7.9.6 / 7.8.8 (ESR) released

Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. Juli 2023)

Sandbox Escape

Sandbox Escape

Citrix Secure Access client for Ubuntu Security Bulletin for CVE-2023-24492

Citrix Secure Access client for Windows Security Bulletin for CVE-2023-24491

Lenovo UDC Vulnerability

AMD SEV VM Power Side Channel Security Notice

AMI MegaRAC SP-X BMC Vulnerabilities

IBM Security Bulletins

Rockwell Automation Select Communication Modules