Tageszusammenfassung - 20.07.2023

End-of-Day report

Timeframe: Mittwoch 19-07-2023 18:00 - Donnerstag 20-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

Citrix-Zero-Days: Angriffsspuren auf Netscaler ADC und Gateway aufspüren

Vor der Verfügbarkeit von Updates wurden CItrix-Lücken bereits in freier Wildbahn angegriffen. Daher ist eine Überprüfung auf Angriffsspuren sinnvoll.

https://heise.de/-9221655

Microsoft Relents, Offers Free Critical Logging to All 365 Customers

Industry pushback prompts Microsoft to drop premium pricing for access to cloud logging data.

https://www.darkreading.com/application-security/microsoft-relents-offers-free-key-logging-365-customers

Docker Hub images found to expose secrets and private keys

Numerous Docker images shared on Docker Hub are exposing sensitive data, according to a study conducted by researchers at the German university RWTH Aachen. Needless to say, this poses a significant security risk.

https://www.malwarebytes.com/blog/news/2023/07/docker-hub-images-found-to-expose-secrets-and-private-keys

Vorab bezahlen, um arbeiten zu können? Finger weg von Jobs der Nice Tech GmbH

Auf nice102.com, nice02.com, unice688.com, nicetechmax.com und vermutlich zahlreichen weiteren Domains betreibt die Nice Tech GmbH ein undurchsichtiges Pyramidensystem, bei dem Sie angeblich Geld von zu Hause aus verdienen können. Die Aufgabenbeschreibungen sind aber äußerst vage, um loslegen zu können, sollen Sie vorab Geld bezahlen und das meiste Geld gibt es für die Anwerbung neuer Mitglieder.

https://www.watchlist-internet.at/news/vorab-bezahlen-um-arbeiten-zu-koennen-finger-weg-von-jobs-der-nice-tech-gmbh/

P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm

A novel peer-to-peer worm written in Rust is uniquely scalable. It targets open-source database Redis and can infect multiple platforms.

https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/

Announcing New DMARC Policy Handling Defaults for Enhanced Email Security

For our consumer service (live.com / outlook.com / hotmail.com), we have changed our DMARC policy handling to honor the sender-s DMARC policy. If an email fails DMARC validation and the sender-s policy is set to p=reject or p=quarantine, we will reject the email.

https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-new-dmarc-policy-handling-defaults-for-enhanced-email/ba-p/3878883

The SOC Toolbox: Analyzing AutoHotKey compiled executables

A quick post on how to extract AutoHotKey scripts from an AutoHotKey script compiled executable.

https://blog.nviso.eu/2023/07/20/the-soc-toolbox-analyzing-autohotkey-compiled-executables/

Escalating Privileges via Third-Party Windows Installers

In this blog post, we will share how Mandiant-s red team researches and exploits zero-day vulnerabilities in third-party Windows Installers, what software developers should do to reduce risk of exploitation, and introduce a new tool to simplify enumeration of cached Microsoft Software Installer (MSI).

https://www.mandiant.com/resources/blog/privileges-third-party-windows-installers

Vulnerabilities

VMware Tanzu Spring: Update schließt kritische Lücke

Aktualisierte Versionen von VMware Tanzu Spring schließen Sicherheitslücken. Eine davon gilt als kritisch.

https://heise.de/-9221869

CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED]

Rapid7 discovered that the initial patch for CVE-2023-29298 (Adobe ColdFusion access control bypass vulnerability) did not successfully remediate the issue.

https://www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion-access-control-bypass-fixed/

Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023)

Last week, there were 69 vulnerabilities disclosed in 68 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

https://www.wordfence.com/blog/2023/07/wordfence-intelligence-weekly-wordpress-vulnerability-report-july-10-2023-to-july-16-2023/

Security updates for Thursday

Security updates have been issued by Debian (chromium), Fedora (sysstat), Gentoo (openssh), Mageia (firefox/nss, kernel, kernel-linus, maven, mingw-nsis, mutt/neomutt, php, qt4/qtsvg5, and texlive), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and kpatch-patch), Slackware (curl and openssh), SUSE (curl, grafana, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python-Flask, python310, samba, SUSE Manager Client Tools, and texlive), and Ubuntu (curl, ecdsautils, and samba).

https://lwn.net/Articles/938711/

Apache OpenMeetings Wide Open to Account Takeover, Code Execution

Researcher discovers vulnerabilities in the open source Web application, which were fixed in the latest Apache OpenMeeting update.

https://www.darkreading.com/remote-workforce/apache-openmeetings-account-takeover-code-execution

CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent

In this advisory, we present our research, experiments, reproducible results, and further ideas to exploit this "dlopen() then dlclose()" primitive. We will also publish the source code of our crude fuzzer at https://www.qualys.com/research/security-advisories/.

https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

Sicherheitsschwachstellen in Omnis Studio (SYSS-2023-005/-006)

Implementierungsfehler erlauben Angreifern, private Omnis-Bibliotheken und gesperrte Klassen im Omnis Studio Browser zu öffnen und zu bearbeiten.

https://www.syss.de/pentest-blog/sicherheitsschwachstellen-in-omnis-studio-syss-2023-005/-006

TP-LINK TL-WR840N: Schwachstelle ermöglicht Stack Buffer Overflow DOS

In der Firmware des TP-Link Routers TP-LINK TL-WR840N gibt es eine Schwachstelle, die es einem Remote-Angreifer ermöglicht, einen Stack Buffer Overflow DOS-Angriff durchzuführen. TP-Link will keinen Sicherheitshinweis dazu veröffentlichen, hat aber eine neue Firmware (TL-WR840N(KR)_V6.2_230702) auf dieser Webseite bereitgestellt.

https://www.borncity.com/blog/2023/07/20/tp-link-tl-wr84-schwachstelle-ermglicht-stack-buffer-overflow-dos/

IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to SnakeYaml [CVE-2022-1471]

https://www.ibm.com/support/pages/node/7013297

IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2023-28530, XFID: 212233, CVE-2022-24999, CVE-2023-28530, CVE-2023-25929)

https://www.ibm.com/support/pages/node/7012621

IBM Workload Scheduler is potentially affected by multiple vulnerabilities in OpenSSL (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286)

https://www.ibm.com/support/pages/node/7003501

IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to security restrictions bypass due to [CVE-2022-32221], [CVE-2023-27533], [CVE-2023-28322]

https://www.ibm.com/support/pages/node/7013517

Security Vulnerabilities in hazelcast client affect IBM Voice Gateway

https://www.ibm.com/support/pages/node/7013527

IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Framework (CVE-2023-20863)

https://www.ibm.com/support/pages/node/7003899

IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Security (CVE-2023-20862)

https://www.ibm.com/support/pages/node/7003901

IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Framework denial of service vulnerabilitiy [CVE-2023-20863]

https://www.ibm.com/support/pages/node/7012251