End-of-Day report
Timeframe: Montag 24-07-2023 18:00 - Dienstag 25-07-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique
The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets.
https://thehackernews.com/2023/07/casbaneiro-banking-malware-goes-under.html
Rooting the Amazon Echo Dot
Thanks to a debug feature implemented by Lab126 (Amazons hardware development company) it is now possible to obtain a tethered root on the device. Thanks to strong security practices enforced by the company such as a chain of trust from the beginning of the boot process, this should not be a major issue.
https://dragon863.github.io/blog/echoroot.html
Will the real Citrix CVE-2023-3519 please stand up?
While the most recent Citrix Security Advisory identifies CVE-2023-3519 as the only vulnerability resulting in unauthenticated remote code execution, there are at least two vulnerabilities that were patched during the most recent version upgrade.
https://www.greynoise.io/blog/will-the-real-citrix-cve-2023-3519-please-stand-up
Forthcoming OpenSSL Releases
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.1.2, 3.0.10 and 1.1.1v. These releases will be made available on Tuesday 1st August 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is Low
https://mta.openssl.org/pipermail/openssl-announce/2023-July/000266.html
Phishing-Alarm: Unsere Liste mit aktuellen Phishing-Nachrichten
In Phishing-Nachrichten fordern Kriminelle per E-Mail oder SMS dazu auf, Links zu folgen oder Dateianhänge zu öffnen. So versuchen Kriminelle an Ihre Login-, Bank- oder Kreditkartendaten zu kommen. Jeden Tag werden uns zahlreiche Phishing-Nachrichten gemeldet. Sobald wir neue Phishing-Nachrichten entdecken, ergänzen wir sie in unserem Phishing-Alarm!
https://www.watchlist-internet.at/news/phishing-alarm-unsere-liste-mit-aktuellen-phishing-nachrichten/
Vulnerabilities
Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo
Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems.
- CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and 8.4.0)
- CVE-2023-22508 (CVSS score: 8.5) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 7.19.8 and 8.2.0)
- CVE-2023-22506 (CVSS score: 7.5) - Injection, RCE (Remote Code Execution) in Bamboo (Fixed in versions 9.2.3 and 9.3.1)
https://thehackernews.com/2023/07/atlassian-releases-patches-for-critical.html
CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability (CVSS: 10.0)
A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions - Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. [..] Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a patch available now.
https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-API-access-vulnerability?language=en_US
F5 Security Advisory K000135555: Java vulnerabilities CVE-2020-2756 and CVE-2020-2757
This vulnerability may allow an attacker with network access to compromise the affected component. Successful exploit can result in unauthorized ability to cause a partial denial-of-service (DoS) of the affected component. BIG-IP and BIG-IQ Versions known to be vulnerable: BIG-IP (all modules) 13.x-17.x, BIG-IQ Centralized Management 8.0.0-8.3.0
https://my.f5.com/manage/s/article/K000135555
Citrix Hypervisor Security Update for CVE-2023-20593
AMD has released updated microcode to address an issue with certain AMD CPUs. Although this is not an issue in the Citrix Hypervisor product itself, we have released a hotfix that includes this microcode to mitigate this CPU hardware issue.
https://support.citrix.com/article/CTX566835/citrix-hypervisor-security-update-for-cve202320593
Xen Security Advisory XSA-433 x86/AMD: Zenbleed
This issue can be mitigated by disabling AVX, either by booting Xen with `cpuid=no-avx` on the command line, or by specifying `cpuid="host:avx=0"` in the vm.cfg file of all untrusted VMs. However, this will come with a significant impact on the system and is not recommended for anyone able to deploy the microcode or patch described below. [..] In cases where microcode is not available, the appropriate attached patch updates Xen to use a control register to avoid the issue.
https://xenbits.xen.org/xsa/advisory-433.html
VMWare VMSA-2023-0016 (CVE-2023-20891)
CVSSv3 Range: 6.5
Synopsis: VMware Tanzu Application Service for VMs and Isolation Segment updates address information disclosure vulnerability
Known Attack Vectors: A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs.
https://www.vmware.com/security/advisories/VMSA-2023-0016.html
TYPO3 12.4.4 and 11.5.30 security releases published
All versions are security releases and contain important security fixes - read the corresponding security advisories:
- TYPO3-CORE-SA-2023-002: By-passing Cross-Site Scripting Protection in HTML Sanitizer (CVE-2023-38500)
- TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution (CVE-2023-38499)
- TYPO3-CORE-SA-2023-004: Cross-Site Scripting in CKEditor4 WordCount Plugin (CVE-2023-37905)
https://typo3.org/article/typo3-1244-and-11530-security-releases-published
Lücken gestopft: Apple bringt iOS 16.6, macOS 13.5, watchOS 9.6 und tvOS 16.6
Fehlerbehebungen und vor allem sicherheitsrelevante Fixes liefern frische Apple-Updates vom Montagabend. Es gab auch Zero-Day-Löcher.
https://heise.de/-9225677
Security updates for Tuesday
Security updates have been issued by Debian (python-git and renderdoc), Red Hat (edk2, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (firefox, libcap, openssh, openssl-1_1, python39, and zabbix), and Ubuntu (cinder, ironic, nova, python-glance-store, python-os-brick, frr, graphite-web, and openssh).
https://lwn.net/Articles/939179/
Security Vulnerabilities fixed in Thunderbird 102.13.1
CVE-2023-3417: File Extension Spoofing using the Text Direction Override Character
ilenames.
An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension.
https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/
Spring Security 5.6.12, 5.7.10, 5.8.5, 6.0.5, and 6.1.2 are available now, including fixes for CVE-2023-34034 and CVE-2023-34035
Those versions fix the following CVEs:
- CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern
- CVE-2023-34035: Authorization rules can be misconfigured when using multiple servlets
https://spring.io/blog/2023/07/24/spring-security-5-6-12-5-7-10-5-8-5-6-0-5-and-6-1-2-are-available-now
CISA Releases Four Industrial Control Systems Advisories
CISA released four Industrial Control Systems (ICS) advisories on July 25, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
- ICSA-23-206-01 AXIS A1001
- ICSA-23-206-02 Rockwell Automation ThinManager ThinServer
- ICSA-23-206-03 Emerson ROC800 Series RTU and DL8000 Preset Controller
- ICSA-23-206-04 Johnson Controls IQ Wifi 6
https://www.cisa.gov/news-events/alerts/2023/07/25/cisa-releases-four-industrial-control-systems-advisories
2023-07-24: Cyber Security Advisory - ABB Ability Zenon directory permission and internal issues
https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&LanguageCode=en&DocumentPartId=&Action=Launch
AMD Cross-Process Information Leak
http://support.lenovo.com/product_security/PS500571-AMD-CROSS-PROCESS-INFORMATION-LEAK
[R1] Stand-alone Security Patch Available for Security Center versions 6.0.0, 6.1.0 and 6.1.1: SC-202307.1-6.x
https://www.tenable.com/security/tns-2023-26
[R1] Stand-alone Security Patch Available for Security Center version 5.23.1: SC-202307.1-5.23.1
https://www.tenable.com/security/tns-2023-25
OAuthlib is vulnerable to CVE-2022-36087 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014235
SnakeYaml is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014243
Node.js http-cache-semantics module is vulnerable to CVE-2022-25881 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014237
Wekzeug is vulnerable to CVE-2023-25577 and CVE-2023-23934 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014239
Cisco node-jose is vulnerable to CVE-2023-25653 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014241
Apache Commons FileUpload and Tomcat are vulnerable to CVE-2023-24998 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014245
Xml2js is vulnerable to CVE-2023-0842 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014247
Flask is vulnerable to CVE-2023-30861 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014251
Apache Commons Codec is vulnerable to PRISMA-2021-0055 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014255
IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities
https://www.ibm.com/support/pages/node/7014253
IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342)
https://www.ibm.com/support/pages/node/7014259
IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433)
https://www.ibm.com/support/pages/node/7012613
Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946)
https://www.ibm.com/support/pages/node/7014261
json-20220320.jar is vulnerable to CVE-2022-45688 used in IBM Maximo Application Suite
https://www.ibm.com/support/pages/node/7014269
Apache Kafka is vulnerable to CVE-2022-34917 and CVE-2023-25194 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014273
Netplex json-smart-v2 is vulnerable to CVE-2023-1370 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014271
Netty is vulnerable to CVE-2022-41915 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014281
VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 and CVE-2023-20862 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014361
VMware Tanzu Spring Framework is vulnerable to CVE-2023-20861 and CVE-2023-20863 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014353
Netty is vulnerable to CVE-2023-34462 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014357
VMware Tanzu Spring Framework is vulnerable to CVE-2023-20860 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014363
Apache Commons FileUpload and Apache Tomcat are vulnerable to CVE-2023-24998, CVE-2022-45143, and CVE-2023-28708 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014365
VMware Tanzu Spring Boot is vulnerable to CVE-2023-20883 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014369
Vulnerabilities in Node.js affects IBM Voice Gateway
https://www.ibm.com/support/pages/node/7013909
Python-requests is vulnerable to CVE-2023-32681 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014371
Google Guava is vulnerable to CVE-2023-2976 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014373
Snappy-java is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014375
The Bouncy Castle Crypto Package For Java is vulnerable to CVE-2023-33201 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7014377
Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data
https://www.ibm.com/support/pages/node/7014379
Vulnerabilities in Python, OpenSSH, Golang Go, Minio and Redis may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift
https://www.ibm.com/support/pages/node/7011697
Multiple vulnerabilities in Apache Log4j affects IBM Security Access Manager for Enterprise Single Sign-On
https://www.ibm.com/support/pages/node/7014395
IBM Event Streams is affected by multiple Golang Go vulnerabilities
https://www.ibm.com/support/pages/node/7014403
IBM WebSphere Application Server, used in IBM Security Verify Governance Identity Manager, could provide weaker than expected security (CVE-2023-35890)
https://www.ibm.com/support/pages/node/7014401
The IBM\u00ae Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for X-Force ID 220800 and CVE-2017-12626
https://www.ibm.com/support/pages/node/7014413
A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center(CVEs - Remediation\/Fixes)
https://www.ibm.com/support/pages/node/7014429
Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data
https://www.ibm.com/support/pages/node/7014379
IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to arbitrary code execution due to [CVE-2022-28805]
https://www.ibm.com/support/pages/node/7014459
IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service due to [CVE-2021-27212]
https://www.ibm.com/support/pages/node/7014457
IBM App Connect Enterprise Certified Container IntegrationServer operands are vulnerable to denial of service due to [CVE-2022-21349]
https://www.ibm.com/support/pages/node/7014455
IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities
https://www.ibm.com/support/pages/node/7014451
IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2022-40897]
https://www.ibm.com/support/pages/node/7014453
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-24966)
https://www.ibm.com/support/pages/node/7014473
IBM WebSphere Application Server traditional is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161)
https://www.ibm.com/support/pages/node/7014475
Multiple vulnerabilities in IBM Java SDK affect IBM Decision Optimization for IBM Cloud Private for Data (ICP4Data)
https://www.ibm.com/support/pages/node/876830
Watson Query potentially exposes adminstrators key under some conditions due to CVE-2022-22410
https://www.ibm.com/support/pages/node/6569235
Security Vulnerabilities affect IBM Cloud Pak for Data - OpenSSL
https://www.ibm.com/support/pages/node/6453431