End-of-Day report
Timeframe: Freitag 04-08-2023 18:00 - Montag 07-08-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers
Vulnerable Redis services have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap thats engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher Radoslaw Zdonczyk said in an analysis published last week.
https://thehackernews.com/2023/08/new-skidmap-redis-malware-variant.html
New 'Deep Learning Attack' Deciphers Laptop Keystrokes with 95% Accuracy
A group of academics has devised a "deep learning-based acoustic side-channel attack" that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy. "When trained on keystrokes recorded using the video conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium," researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad said in a new study published last week.
https://thehackernews.com/2023/08/new-deep-learning-attack-deciphers.html
Technical Summary of Observed Citrix CVE-2023-3519 Incidents
The Shadowserver Foundation and trusted partners have observed three different malicious campaigns that have exploited CVE-2023-3519, a code injection vulnerability rated CVSS 9.8 critical in Citrix NetScaler ADC and NetScaler Gateway. [...] Please ensure you follow the detection and hunting steps provided for signs of possible compromise and webshell presence.
https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/
Security-Bausteine, Teil 5: Vier Stufen - Risiko und Security Levels
Das Einrichten des IT-Schutzes bedeutet häufig langwierige Prozesse. Abhilfe schaffen die Security Levels zum Absichern gegen potenzielle Angreiferklassen.
https://heise.de/-9220500
Vernetzte Geräte: EU gewährt Aufschub für höhere Cybersicherheit
Die EU wollte Hersteller von Smartphones, Wearables & Co. ab 2024 zu deutlich mehr IT-Sicherheit und Datenschutz verpflichten. Doch jetzt gibt es Aufschub.
https://heise.de/-9235663
Zutatenliste: BSI stellt Regeln zum Absichern der Software-Lieferkette auf
Das BSI hat eine Richtlinie für Software Bills of Materials (SBOM) herausgegeben. Solche Übersichtslisten sollen Sicherheitsdebakeln wie Log4J entgegenwirken.
https://heise.de/-9235853
Visualizing Qakbot Infrastructure Part II: Uncharted Territory
A Data-Driven Approach Based on Analysis of Network Telemetry - In this blog post, we will provide an update on our high-level analysis of...
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory
Vulnerabilities
Kritische RCE-Schwachstelle CVE-2023-39143 in PaperCut vor Version 22.1.3
Wer die Druck-Management-Lösung Papercut MF/NG im Einsatz hat, sollte das Produkt dringend patchen. Eine gerade bekannt gewordene kritische RCE-Schwachstelle CVE-2023-39143 ermöglicht die Übernahme der PaperCut-Server. Der Anbieter hat bereits einen entsprechenden Sicherheitspatch zum Beseitigen der Schwachstelle veröffentlicht.
https://www.borncity.com/blog/2023/08/05/kritische-rce-schwachstelle-cve-2023-39143-in-papercut-vor-version-22-1-3/
Sicherheitsupdates: Angreifer können Drucker von HP und Samsung attackieren
Einige Drucker-Modelle von HP und Samsung sind verwundbar. Sicherheitsupdates lösen das Problem.
https://heise.de/-9236703
VU#947701: Freewill Solutions IFIS new trading web application vulnerable to unauthenticated remote code execution
Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host. [...] The CERT/CC is currently unaware of a practical solution to this problem. [...] We have not received a statement from the vendor.
https://kb.cert.org/vuls/id/947701
ZDI-23-1017: Extreme Networks AP410C Stack-based Buffer Overflow Remote Code Execution Vulnerability
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Extreme Networks AP410C routers. Authentication is not required to exploit this vulnerability.
https://www.zerodayinitiative.com/advisories/ZDI-23-1017/
Triangle MicroWorks SCADA Data Gateway: Multiple Vulnerabilities
CVE: CVE-2023-39458, CVE-2023-39459, CVE-2023-39460, CVE-2023-39461, CVE-2023-39462, CVE-2023-39463, CVE-2023-39464, CVE-2023-39465, CVE-2023-39466, CVE-2023-39467, CVE-2023-39468, CVE-2023-39457 CVSS Scores: <= 9.8 See also https://www.zerodayinitiative.com/advisories/published/
https://www.trianglemicroworks.com/products/scada-data-gateway/whats-new
CVE-2023-35082 - Vulnerability affecting EPMM and MobileIron Core
On 2 August 2023 at 10:00 MDT, Ivanti reported CVE-2023-35082. This vulnerability, which was originally discovered in MobileIron Core had not been previously identified as a vulnerability [...] Ivanti has continued its investigation and has found additional paths to exploiting CVE-2023-35082 depending on configuration of the Ivanti Endpoint Manager Mobile (EPMM) appliance. This impacts all versions of EPMM 11.10, 11.9 and 11.8 and MobileIron Core 11.7 and below.
https://www.ivanti.com/blog/vulnerability-affecting-mobileiron-core-11-2-and-older
Security updates for Monday
Security updates have been issued by Debian (burp, chromium, ghostscript, openimageio, pdfcrack, python-werkzeug, thunderbird, and webkit2gtk), Fedora (amanda, libopenmpt, llhttp, samba, seamonkey, and xen), Red Hat (thunderbird), Slackware (mozilla and samba), and SUSE (perl-Net-Netmask, python-Django1, trytond, and virtualbox).
https://lwn.net/Articles/940682/
AUMA: SIMA Master Station affected by WRECK vulnerability
https://cert.vde.com/de/advisories/VDE-2023-028/
AUMA: Reflected Cross-Site Scripting Vulnerability in SIMA Master Stations
https://cert.vde.com/de/advisories/VDE-2023-027/
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-27554)
https://www.ibm.com/support/pages/node/7020515
An unauthorized attacker who has obtained an IBM Watson IoT Platform security authentication token can use it to impersonate an authorized platform user (CVE-2023-38372)
https://www.ibm.com/support/pages/node/7020635
ISC BIND on IBM i is vulnerable to denial of service due to a memory usage flaw (CVE-2023-2828)
https://www.ibm.com/support/pages/node/7017974
IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to FasterXML jackson-databind [CVE-2022-42003, CVE-2022-42004]
https://www.ibm.com/support/pages/node/7020695
IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JetBrains Kotlin weak security [CVE-2022-24329]
https://www.ibm.com/support/pages/node/7020659
IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JCommander [X-Force ID: 221124]
https://www.ibm.com/support/pages/node/7020636
Timing Oracle in RSA Decryption issue may affect GSKit shipped with IBM CICS TX Standard
https://www.ibm.com/support/pages/node/7022413
Timing Oracle in RSA Decryption issue may affect GSKit shipped with IBM CICS TX Advanced
https://www.ibm.com/support/pages/node/7022414
A vulnerability has been identified in the IBM Storage Scale GUI where a remote authenticated user can execute commands (CVE-2023-33201)
https://www.ibm.com/support/pages/node/7022431