End-of-Day report
Timeframe: Dienstag 08-08-2023 18:00 - Mittwoch 09-08-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
Malicious extensions can abuse VS Code flaw to steal auth tokens
Microsofts Visual Studio Code (VS Code) code editor and development environment contains a flaw that allows malicious extensions to retrieve authentication tokens stored in Windows, Linux, and macOS credential managers.
https://www.bleepingcomputer.com/news/security/malicious-extensions-can-abuse-vs-code-flaw-to-steal-auth-tokens/
EvilProxy phishing campaign targets 120,000 Microsoft 365 users
EvilProxy is becoming one of the more popular phishing platforms to target MFA-protected accounts, with researchers seeing 120,000 phishing emails sent to over a hundred organizations to steal Microsoft 365 accounts.
https://www.bleepingcomputer.com/news/security/evilproxy-phishing-campaign-targets-120-000-microsoft-365-users/
Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining
Exposed Kubernetes (K8s) clusters are being exploited by malicious actors to deploy cryptocurrency miners and other backdoors. Cloud security firm Aqua, in a report shared with The Hacker News, said a majority of the clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies, spanning financial, aerospace, automotive, industrial, and security sectors.
https://thehackernews.com/2023/08/malicious-campaigns-exploit-weak.html
Achtung, Smishing-Welle zu Online-Banking im Umlauf!
Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass -Ihre George Registrierung- oder -Ihre Mein-Elba Registrierung- abläuft. Die -Legitimation- könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis.
https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-banking-im-umlauf/
Ein Deepdive in die ESXiArgs Ransomware Kampagne
Es war ein schöner Tag dieser Freitag der 03. Februar 2023, aber wie es Freitage im Cybersicherheits-Umfeld leider so an sich haben, sollte sich das schnell ändern. Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde.
https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kampagne
Fantastic Rootkits: And Where To Find Them (Part 3) - ARM Edition
In this blog, we will discuss innovative rootkit techniques on a non-traditional architecture, Windows 11 on ARM64.
https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-and-where-to-find-them-part-3-arm-edition
Vulnerabilities
FortiOS - Buffer overflow in execute extender command (CVE-2023-29182)
A stack-based buffer overflow vulnerability [CWE-121] in FortiOS may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections.
https://fortiguard.fortinet.com/psirt/FG-IR-23-149
Lenovo: Multi-vendor BIOS Security Vulnerabilities (August 2023)
The following list of vulnerabilities were reported by suppliers and researchers or were found during our regular internal testing. CVE Identifier: CVE-2022-24351, CVE-2022-27879, CVE-2022-37343, CVE-2022-38083, CVE-2022-40982, CVE-2022-41804, CVE-2022-43505, CVE-2022-44611, CVE-2022-46897, CVE-2023-2004, CVE-2023-20555, CVE-2023-20569, CVE-2023-23908, CVE-2023-26090, CVE-2023-27471, CVE-2023-28468, CVE-2023-31041, CVE-2023-34419, CVE-2023-4028, CVE-2023-4029, CVE-2023-4030
https://support.lenovo.com/at/en/product_security/ps500572-multi-vendor-bios-security-vulnerabilities-august-2023
Lenovo: AMD Graphics OpenSSL Vulnerabilities
CVE Identifier: CVE-2022-3602, CVE-2022-3786 Summary Description: AMD reported two high severity OpenSSL vulnerabilities affecting certain versions of their product. Mitigation Strategy for Customers (what you should do to protect yourself): Update AMD Graphics Driver to the version (or newer) indicated for your model in the Product Impact section.
https://support.lenovo.com/at/en/product_security/ps500575-amd-graphics-openssl-vulnerabilities
Lenovo: Intel PROSet Wireless WiFi and Killer WiFi Advisory
CVE Identifier: CVE-2022-27635, CVE-2022-46329, CVE-2022-40964, CVE-2022-36351, CVE-2022-38076 Summary Description: Intel reported potential security vulnerabilities in some Intel PROSet/Wireless WiFi and Killer WiFi products that may allow escalation of privilege or denial of service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below.
https://support.lenovo.com/at/en/product_security/ps500574-intel-proset-wireless-wifi-and-killer-wifi-advisory
Lenovo: Intel Chipset Firmware Advisory
CVE Identifier: CVE-2022-36392, CVE-2022-38102, CVE-2022-29871 Summary Description: Intel reported potential security vulnerabilities in the Intel Converged Security Management Engine (CSME) that may allow escalation of privilege and Denial of Service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below.
https://support.lenovo.com/at/en/product_security/ps500573-intel-chipset-firmware-advisory
Xen XSA-432: Linux: buffer overrun in netback due to unusual packet (CVE-2023-34319)
The fix for XSA-423 added logic to Linuxes netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didnt account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area thats specially dealt with to keep all (possible) headers together.
https://xenbits.xen.org/xsa/advisory-432.html
Xen XSA-434 x86/AMD: Speculative Return Stack Overflow (CVE-2023-20569)
It is possible to poison the branch type and target predictions such that, at a point of the attackers choosing, the branch predictor predicts enough CALLs back-to-back to wrap around the entire RAS and overwrite a correct return prediction with one of the attackers choosing. This allows the attacker to control RET speculation in a victim context, and leak arbitrary data as a result.
https://xenbits.xen.org/xsa/advisory-434.html
Xen XSA-435 x86/Intel: Gather Data Sampling
A researcher has discovered Gather Data Sampling, a transient execution side-channel whereby the AVX GATHER instructions can forward the content of stale vector registers to dependent instructions. The physical register file is a structure competitively shared between sibling threads. Therefore an attacker can infer data from the sibling thread, or from a more privileged context.
https://xenbits.xen.org/xsa/advisory-435.html
Citrix Hypervisor Security Bulletin for CVE-2023-20569, CVE-2023-34319 and CVE-2022-40982
- An issue has been discovered in Citrix Hypervisor 8.2 CU1 LTSR that may allow malicious, privileged code in a guest VM to cause the host to crash. (CVE-2023-34319) - In addition, Intel has disclosed a security issue affecting certain Intel CPUs [..] (CVE-2022-40982) - In addition, AMD has disclosed a security issue affecting AMD CPUs [..] (CVE-2023-20569)
https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bulletin-for-cve202320569-cve202334319-and-cve202240982
LibreSwan: CVE-2023-38710: Invalid IKEv2 REKEY proposal causes restart
When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payloads protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart.
https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt
LibreSwan: CVE-2023-38711: Invalid IKEv1 Quick Mode ID causes restart
When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR, receives an IDcr payload with ID_FQDN, a null pointer dereference causes a crash and restart of the pluto daemon.
https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt
LibreSwan: CVE-2023-38712: Invalid IKEv1 repeat IKE SA delete causes crash and restart
When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a null pointer dereference on the deleted state causes the pluto daemon to crash and restart.
https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt
LWN: Stable kernels with security fixes
The 6.4.9, 6.1.44, 5.15.125, 5.10.189, 5.4.252, 4.19.290, and 4.14.321 stable kernel updates have all been released; they are dominated by fixes for the latest round of speculative-execution vulnerabilities. Do note the warning attached to each of these releases
https://lwn.net/Articles/940798/
Neue Sicherheitslücken in AMD- und Intel-Prozessoren entdeckt
Die Security-Konferenz Black Hat ist für AMD und Intel kein Spaß. Beide Hersteller müssen sich mit zahlreichen Sicherheitslücken befassen - BIOS-Updates kommen.
https://heise.de/-9239339
Security updates for Wednesday
Security updates have been issued by Debian (cjose, hdf5, and orthanc), Fedora (java-17-openjdk and seamonkey), Red Hat (curl, dbus, iperf3, kernel, kpatch-patch, libcap, libxml2, nodejs:16, nodejs:18, postgresql:10, postgresql:12, postgresql:13, and python-requests), SUSE (bluez, cjose, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, keylime, openssl-1_1, openssl-3, pipewire, poppler, qemu, rubygem-actionpack-4_2, rubygem-actionpack-5_1, rust1.71, tomcat, webkit2gtk3, and wireshark), and Ubuntu (binutils, dotnet6, dotnet7, openssh, php-dompdf, and unixodbc).
https://lwn.net/Articles/940912/
SAP Patches Critical Vulnerability in PowerDesigner Product
SAP has fixed over a dozen new vulnerabilities with its Patch Tuesday updates, including a critical flaw in its PowerDesigner product.
https://www.securityweek.com/sap-patches-critical-vulnerability-in-powerdesigner-product/
Microsoft Releases August 2023 Security Updates
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.
https://www.cisa.gov/news-events/alerts/2023/08/08/microsoft-releases-august-2023-security-updates
Released: August 2023 Exchange Server Security Updates
We are aware of Setup issues on non-English servers and have temporarily removed August SU from Windows / Microsoft update. If you are using a non-English language server, we recommend you wait with deployment of August SU until we provide more information.
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/ba-p/3892811
Adobe Releases Security Updates for Multiple Products
Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit some of these vulnerabilities to take control of an affected system.
https://www.cisa.gov/news-events/alerts/2023/08/08/adobe-releases-security-updates-multiple-products
Certifi component is vulnerable to CVE-2022-23491 used by IBM Maximo Application Suite
https://www.ibm.com/support/pages/node/7023647
protobuf-java component is vulnerable to CVE-2022-3510 and CVE-2022-3509 is used by IBM Maximo Application Suite
https://www.ibm.com/support/pages/node/7023656
A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2022-40609)
https://www.ibm.com/support/pages/node/7024675
Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server shipped with IBM Business Automation Workflow containers - April 2023 CPU
https://www.ibm.com/support/pages/node/7024729
Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager
https://www.ibm.com/support/pages/node/7016660
IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-38721)
https://www.ibm.com/support/pages/node/7023423
IBM App Connect Enterprise toolkit and IBM Integration Bus toolkit are vulnerable to a local authenticated attacker and a denial of service due to Guava and JDOM (CVE-2023-2976, CVE-2021-33813).
https://www.ibm.com/support/pages/node/7024862
IBM MQ is affected by multiple Angular JS vulnerabilities.
https://www.ibm.com/support/pages/node/7023212
IBM MQ Appliance is affected by multiple AngularJS vulnerabilities
https://www.ibm.com/support/pages/node/7013499