Tageszusammenfassung - 07.08.2023

End-of-Day report

Timeframe: Freitag 04-08-2023 18:00 - Montag 07-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter

News

New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers

Vulnerable Redis services have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap thats engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher Radoslaw Zdonczyk said in an analysis published last week.

https://thehackernews.com/2023/08/new-skidmap-redis-malware-variant.html


New 'Deep Learning Attack' Deciphers Laptop Keystrokes with 95% Accuracy

A group of academics has devised a "deep learning-based acoustic side-channel attack" that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy. "When trained on keystrokes recorded using the video conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium," researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad said in a new study published last week.

https://thehackernews.com/2023/08/new-deep-learning-attack-deciphers.html


Technical Summary of Observed Citrix CVE-2023-3519 Incidents

The Shadowserver Foundation and trusted partners have observed three different malicious campaigns that have exploited CVE-2023-3519, a code injection vulnerability rated CVSS 9.8 critical in Citrix NetScaler ADC and NetScaler Gateway. [...] Please ensure you follow the detection and hunting steps provided for signs of possible compromise and webshell presence.

https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/


Security-Bausteine, Teil 5: Vier Stufen - Risiko und Security Levels

Das Einrichten des IT-Schutzes bedeutet häufig langwierige Prozesse. Abhilfe schaffen die Security Levels zum Absichern gegen potenzielle Angreiferklassen.

https://heise.de/-9220500


Vernetzte Geräte: EU gewährt Aufschub für höhere Cybersicherheit

Die EU wollte Hersteller von Smartphones, Wearables & Co. ab 2024 zu deutlich mehr IT-Sicherheit und Datenschutz verpflichten. Doch jetzt gibt es Aufschub.

https://heise.de/-9235663


Zutatenliste: BSI stellt Regeln zum Absichern der Software-Lieferkette auf

Das BSI hat eine Richtlinie für Software Bills of Materials (SBOM) herausgegeben. Solche Übersichtslisten sollen Sicherheitsdebakeln wie Log4J entgegenwirken.

https://heise.de/-9235853


Visualizing Qakbot Infrastructure Part II: Uncharted Territory

A Data-Driven Approach Based on Analysis of Network Telemetry - In this blog post, we will provide an update on our high-level analysis of...

https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-uncharted-territory

Vulnerabilities

Kritische RCE-Schwachstelle CVE-2023-39143 in PaperCut vor Version 22.1.3

Wer die Druck-Management-Lösung Papercut MF/NG im Einsatz hat, sollte das Produkt dringend patchen. Eine gerade bekannt gewordene kritische RCE-Schwachstelle CVE-2023-39143 ermöglicht die Übernahme der PaperCut-Server. Der Anbieter hat bereits einen entsprechenden Sicherheitspatch zum Beseitigen der Schwachstelle veröffentlicht.

https://www.borncity.com/blog/2023/08/05/kritische-rce-schwachstelle-cve-2023-39143-in-papercut-vor-version-22-1-3/


Sicherheitsupdates: Angreifer können Drucker von HP und Samsung attackieren

Einige Drucker-Modelle von HP und Samsung sind verwundbar. Sicherheitsupdates lösen das Problem.

https://heise.de/-9236703


VU#947701: Freewill Solutions IFIS new trading web application vulnerable to unauthenticated remote code execution

Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host. [...] The CERT/CC is currently unaware of a practical solution to this problem. [...] We have not received a statement from the vendor.

https://kb.cert.org/vuls/id/947701


ZDI-23-1017: Extreme Networks AP410C Stack-based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Extreme Networks AP410C routers. Authentication is not required to exploit this vulnerability.

https://www.zerodayinitiative.com/advisories/ZDI-23-1017/


Triangle MicroWorks SCADA Data Gateway: Multiple Vulnerabilities

CVE: CVE-2023-39458, CVE-2023-39459, CVE-2023-39460, CVE-2023-39461, CVE-2023-39462, CVE-2023-39463, CVE-2023-39464, CVE-2023-39465, CVE-2023-39466, CVE-2023-39467, CVE-2023-39468, CVE-2023-39457 CVSS Scores: <= 9.8 See also https://www.zerodayinitiative.com/advisories/published/

https://www.trianglemicroworks.com/products/scada-data-gateway/whats-new


CVE-2023-35082 - Vulnerability affecting EPMM and MobileIron Core

On 2 August 2023 at 10:00 MDT, Ivanti reported CVE-2023-35082. This vulnerability, which was originally discovered in MobileIron Core had not been previously identified as a vulnerability [...] Ivanti has continued its investigation and has found additional paths to exploiting CVE-2023-35082 depending on configuration of the Ivanti Endpoint Manager Mobile (EPMM) appliance. This impacts all versions of EPMM 11.10, 11.9 and 11.8 and MobileIron Core 11.7 and below.

https://www.ivanti.com/blog/vulnerability-affecting-mobileiron-core-11-2-and-older


Security updates for Monday

Security updates have been issued by Debian (burp, chromium, ghostscript, openimageio, pdfcrack, python-werkzeug, thunderbird, and webkit2gtk), Fedora (amanda, libopenmpt, llhttp, samba, seamonkey, and xen), Red Hat (thunderbird), Slackware (mozilla and samba), and SUSE (perl-Net-Netmask, python-Django1, trytond, and virtualbox).

https://lwn.net/Articles/940682/


AUMA: SIMA Master Station affected by WRECK vulnerability

https://cert.vde.com/de/advisories/VDE-2023-028/


AUMA: Reflected Cross-Site Scripting Vulnerability in SIMA Master Stations

https://cert.vde.com/de/advisories/VDE-2023-027/


A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-27554)

https://www.ibm.com/support/pages/node/7020515


An unauthorized attacker who has obtained an IBM Watson IoT Platform security authentication token can use it to impersonate an authorized platform user (CVE-2023-38372)

https://www.ibm.com/support/pages/node/7020635


ISC BIND on IBM i is vulnerable to denial of service due to a memory usage flaw (CVE-2023-2828)

https://www.ibm.com/support/pages/node/7017974


IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to FasterXML jackson-databind [CVE-2022-42003, CVE-2022-42004]

https://www.ibm.com/support/pages/node/7020695


IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JetBrains Kotlin weak security [CVE-2022-24329]

https://www.ibm.com/support/pages/node/7020659


IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JCommander [X-Force ID: 221124]

https://www.ibm.com/support/pages/node/7020636


Timing Oracle in RSA Decryption issue may affect GSKit shipped with IBM CICS TX Standard

https://www.ibm.com/support/pages/node/7022413


Timing Oracle in RSA Decryption issue may affect GSKit shipped with IBM CICS TX Advanced

https://www.ibm.com/support/pages/node/7022414


A vulnerability has been identified in the IBM Storage Scale GUI where a remote authenticated user can execute commands (CVE-2023-33201)

https://www.ibm.com/support/pages/node/7022431