Tageszusammenfassung - 25.08.2023

End-of-Day report

Timeframe: Donnerstag 24-08-2023 18:00 - Freitag 25-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Auch Antivirensoftware: Winrar-Schwachstelle betrifft Hunderte weitere Programme

Nicht nur alte Winrar-Versionen sind für eine jüngst gepatchte Sicherheitslücke anfällig, sondern auch zahlreiche weitere Anwendungen.

https://www.golem.de/news/auch-antivirensoftware-winrar-schwachstelle-betrifft-hunderte-weitere-programme-2308-177086.html


FBI-Warnung: Barracuda ESG-Appliances noch immer bedroht, umgehend entfernen

Das FBI warnt vor den Barracuda-ESG-Schwachstellen, die Ende Mai bekannt wurden. Es geht davon aus, dass alle Geräte kompromittiert seien.

https://heise.de/-9284695


-Mammutjagd- auf Online-Marktplätze

Mit dem Toolset "Telekopye" können auch technisch wenig versierte Hacker auf Online-Marktplätzen Jagd auf ahnungslose Käufer - im Gauner-Slang "Mammut" - machen.

https://www.zdnet.de/88411400/mammutjagd-auf-online-marktplaetze/


Jupiter X Core WordPress plugin could let hackers hijack sites

Two vulnerabilities affecting some version of Jupiter X Core, a premium plugin for setting up WordPress and WooCommerce websites, allow hijacking accounts and uploading files without authentication.

https://www.bleepingcomputer.com/news/security/jupiter-x-core-wordpress-plugin-could-let-hackers-hijack-sites/


Python Malware Using Postgresql for C2 Communications, (Fri, Aug 25th)

For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common because HTTP is allowed on most networks...

https://isc.sans.edu/diary/rss/30158


Playing Dominos with Moodles Security (1/2)

This is the first blog in a two-part series where we will present our findings on a Moodle security audit we conducted. We were drawn to researching the security aspect of the framework due to its popularity, with the goal of contributing to a safer internet. In this first article, we demonstrate how an unauthenticated attacker can leverage a vulnerability with a supposedly low impact to gain full control over the Moodle instance.

https://www.sonarsource.com/blog/playing-dominos-with-moodles-security-1/


A broken marriage. Abusing mixed vendor Kerberos stacks

*nix based servers and services can be joined to Active Directory networks in the same way as their Windows counterparts. This is usually facilitated through the MIT or Heimdal Kerberos stacks. Kerberos is designed as an authentication-based protocol therefore authorisation decisions are implemented independently to the Kerberos protocol itself. Due to this, different vendor stacks behave differently on how authorisation decisions are made.

https://www.pentestpartners.com/security-blog/a-broken-marriage-abusing-mixed-vendor-kerberos-stacks/


A Beginner-s Guide to Adversary Emulation with Caldera

The target audience for this blog post is individuals who have a basic understanding of cybersecurity concepts and terminology and looking to expand their knowledge on adversary emulation. This post delves into the details of adversary emulation with the Caldera framework exploring the benefits it offers.

https://blog.nviso.eu/2023/08/25/a-beginners-guide-to-adversary-emulation-with-caldera/


Analysis of MS-SQL Server Proxyjacking Cases

AhnLab Security Emergency response Center (ASEC) has recently discovered cases of proxyjacking targeting poorly managed MS-SQL servers. Publicly accessible MS-SQL servers with simple passwords are one of the main attack vectors used when targeting Windows systems. Typically, threat actors target poorly managed MS-SQL servers and attempt to gain access through brute force or dictionary attacks. If successful, they install malware on the infected system.

https://asec.ahnlab.com/en/56350/


Stories from the SOC - Unveiling the stealthy tactics of Aukill malware

On April 21st, 2023, AT&T Managed Extended Detection and Response (Managed XDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the clients print server to disable the servers installed endpoint detection and response (EDR) solution by brute-forcing an administrator account and downgrading a driver to a vulnerable version.

https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-silent-sabotage-unveiling-the-stealthy-tactics-of-aukill-malware

Vulnerabilities

Maxon Cinema 4D SKP File Parsing vulnerabilities

CVSS Score: 7.8 CVE-2023-40482, CVE-2023-40483, CVE-2023-40486, CVE-2023-40485, CVE-2023-40484, CVE-2023-40488, CVE-2023-4049[0], CVE-2023-40491, CVE-2023-40487, CVE-2023-40489 Mitigation: Given the nature of the [vulnerabilities], the only salient mitigation strategy is to restrict interaction with the application.

https://www.zerodayinitiative.com/advisories/published/


(0Day) LG Simple Editor vulnerabilities

CVSS Scores: 6.5-9.8 CVE-2023-40502, CVE-2023-40513, CVE-2023-40514, CVE-2023-40515, CVE-2023-40492, CVE-2023-40493, CVE-2023-40494, CVE-2023-40495, CVE-2023-40496, CVE-2023-40497, CVE-2023-40498, CVE-2023-40499, CVE-2023-40500, CVE-2023-40503, CVE-2023-40503, CVE-2023-40504, CVE-2023-40505, CVE-2023-40506, CVE-2023-40507, CVE-2023-40508, CVE-2023-40509, CVE-2023-40510, CVE-2023-40511, CVE-2023-40512, CVE-2023-40501, CVE-2023-40516 [...] they do not have plans to fix the [vulnerabilities]

https://www.zerodayinitiative.com/advisories/published/


(0Day) LG SuperSign Media Editor vulnerabilities

CVSS Scores: 5.3-7.5 CVE-2023-40517, CVE-2023-41181 The vendor states that they do not have plans to fix the [vulnerabilities] now or in the future. [...] Given the nature of the [vulnerabilities], the only salient mitigation strategy is to restrict interaction with the application.

https://www.zerodayinitiative.com/advisories/published/


QNap: [Vulnerabilities] in QTS and QuTS hero

CVE-2023-34971, CVE-2023-34973, CVE-2023-34972 Affected products: QTS 5.1.0, 5.0.1, 4.5.4; QuTS hero h5.1.0, h4.5.4 We have already fixed the [vulnerabilities] in the following operating system versions: * QTS 5.1.0.2444 build 20230629 and later * QTS 5.0.1.2425 build 20230609 and later * QTS 4.5.4.2467 build 20230718 and later * QuTS hero h5.1.0.2424 build 20230609 and later * QuTS hero h4.5.4.2476 build 20230728 and later

https://www.qnap.com/en-us/security-advisories?ref=security_advisory_details


Security updates for Friday

Security updates have been issued by Debian (tryton-server), Fedora (youtube-dl), SUSE (clamav and krb5), and Ubuntu (cjose and fastdds).

https://lwn.net/Articles/942766/


ZDI-23-1224: LG LED Assistant updateFile Directory Traversal Information Disclosure Vulnerability

https://www.zerodayinitiative.com/advisories/ZDI-23-1224/


ZDI-23-1223: LG LED Assistant thumbnail Directory Traversal Information Disclosure Vulnerability

https://www.zerodayinitiative.com/advisories/ZDI-23-1223/


ZDI-23-1222: LG LED Assistant setThumbnailRc Directory Traversal Remote Code Execution Vulnerability

https://www.zerodayinitiative.com/advisories/ZDI-23-1222/


ZDI-23-1221: LG LED Assistant upload Directory Traversal Remote Code Execution Vulnerability

https://www.zerodayinitiative.com/advisories/ZDI-23-1221/


IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437)

https://www.ibm.com/support/pages/node/7028506


ISC BIND on IBM i is vulnerable to denial of service due to a memory usage flaw (CVE-2023-2828)

https://www.ibm.com/support/pages/node/7017974


Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21541, CVE-2022-21540)

https://www.ibm.com/support/pages/node/7028934


IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2023-26115]

https://www.ibm.com/support/pages/node/7028936


IBM Spectrum Copy Data Management uses weaker than expected cryptographic algorithms

https://www.ibm.com/support/pages/node/7028841