End-of-Day report
Timeframe: Donnerstag 28-09-2023 18:00 - Freitag 29-09-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Version 1.0: Ungepatchte Schwachstellen im Mail Transfer Agent Exim
Der Open Source Mail Transfer Agent (MTA) Exim weist mehrere schwerwiegende ungepatchte Schwachstellen auf. Besonders kritisch ist eine Buffer Overflow Schwachstelle in der SMTP-Implementierung, CVE-2023-42115, die einer entfernten, unauthorisierten angreifenden Person gegebenenfalls das Ausführen von Code mit Rechten des Service Accounts, mit dem Exim betrieben wird, ermöglicht. Sie erreicht daher eine CVSS-Bewertung von 9.8 ("kritisch").
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2023/2023-266613-1032.pd
Betrifft unzählige Anwendungen: Zero-Day-Schwachstelle in VP8-Videokodierung
Google hat mal wieder eine Zero-Day-Schwachstelle in Chrome gepatcht. Neben gängigen Webbrowsern sind aber auch viele andere Apps betroffen.
https://www.golem.de/news/betrifft-unzaehlige-anwendungen-zero-day-schwachstelle-in-vp8-videokodierung-2309-178082.html
Dringend patchen: Schwachstelle mit maximalem Schweregrad in WS_FTP
Der Entwickler der Datentransfersoftware Moveit hat erneut kritische Schwachstellen behoben - dieses Mal in der Serveranwendung WS_FTP.
https://www.golem.de/news/dringend-patchen-schwachstelle-mit-maximalem-schweregrad-in-ws-ftp-2309-178097.html
Important release of LibreOffice 7.6.2 Community and LibreOffice 7.5.7 Community with key security fix
The Document Foundation is releasing LibreOffice 7.6.2 Community and LibreOffice 7.5.7 Community ahead of schedule to address a security issue known as CVE 2023-4863, which originates in a widely used code library known as libwebp, created by Google more than a decade ago to render the then-new WebP graphics format.
https://blog.documentfoundation.org/blog/2023/09/26/lo-762-and-lo-757/
Jetzt patchen! Angreifer haben Netzwerkgeräte von Cisco im Visier
Cisco hat unter anderem eine kritische Lücke in Catalyst SD-WAN geschlossen. Außerdem gibt es Sicherheitsupdates für weitere Produkte.
https://www.heise.de/-9320947.html
Balkonkraftwerke: Hoymiles schließt Sicherheitslücken
Der Wechselrichterhersteller hat die Lücken in der API geschlossen - das haben wir verifiziert. Im Gespräch gelobte Hoymiles Besserung.
https://www.heise.de/-9321291.html
Malicious ad served inside Bings AI chatbot
Users looking for software downloads may be tricked into visiting malicious websites via their interaction with Bing Chat.
https://www.malwarebytes.com/blog/threat-intelligence/2023/09/malicious-ad-served-inside-bing-ai-chatbot
Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
Hackers have set their sights on CVE-2023-34468, an RCE vulnerability in Apache NiFi that impacts thousands of organizations.
https://www.securityweek.com/hackers-set-sights-on-apache-nifi-flaw-that-exposes-many-organizations-to-attacks/
Oktober ist Cyber Security Month: Tipps und Veranstaltungen
Im Oktober dreht sich alles um Cyber-Sicherheit. Machen auch Sie mit und nutzen Sie das vielfältige Angebot. Wir zeigen Ihnen, wie Sie Ihre Kenntnisse zu Phishing, Randsomeware und Co. verbessern.
https://www.watchlist-internet.at/news/oktober-ist-cyber-security-month-tipps-und-veranstaltungen/
Betrügerisches EP-Gewinnspiel wird massenhaft per SMS verschickt
-Gratulation an die EP Electronic Gewinner-. Dieser Text steht in einer SMS, die derzeit massenhaft von Kriminellen verschickt wird. Besonders perfid: In der SMS werden auch die Namen der angeblichen Gewinner:innen genannt. Selbst wenn Ihr Name in der SMS auftaucht, sollten Sie nicht auf den mitgeschickten Link klicken! Betrüger:innen versuchen Sie in die Abo-Falle zu locken.
https://www.watchlist-internet.at/news/betruegerisches-ep-gewinnspiel-wird-massenhaft-per-sms-verschickt/
CL0P Seeds ^_- Gotta Catch Em All!
CL0P is distributing ransomware data via torrents. We investigate this new method, including seeds we-ve tracked - disguising victims with Pokemon. Catch them all!
https://unit42.paloaltonetworks.com/cl0p-group-distributes-ransomware-data-with-torrents/
Phishing via Dropbox
A burgeoning attack involving Dropbox is making the rounds. In the first two weeks of September, we saw 5,440 of these attacks. Hackers are using Dropbox to create fake login pages that eventually lead to a credential harvesting page. It-s yet another example of how hackers are utilizing legitimate services in what we call BEC 3.0 attacks. Business Email Compromise 3.0 attacks refer to the usage of legitimate sites-like Dropbox-to send and host phishing material.
https://blog.checkpoint.com/harmony-email/phishing-via-dropbox/
Analysis of Time-to-Exploit Trends: 2021-2022
Mandiant Intelligence analyzed 246 vulnerabilities that were exploited between 2021 and 2022. Sixty-two percent (153) of the vulnerabilities were first exploited as zero-day vulnerabilities. The number of exploited vulnerabilities each year continues to increase, while the overall times-to-exploit (TTEs) we are seeing are decreasing. Exploitation of a vulnerability is most likely to occur before the end of the first month following the release of a patch.
https://www.mandiant.com/resources/blog/time-to-exploit-trends-2021-2022
Vulnerabilities
Security updates for Friday
Security updates have been issued by Debian (firefox-esr, jetty9, and vim), Gentoo (Fish, GMP, libarchive, libsndfile, Pacemaker, and sudo), Oracle (nodejs:16 and nodejs:18), Red Hat (virt:av and virt-devel:av), Slackware (mozilla), SUSE (chromium, firefox, Golang Prometheus, iperf, libqb, and xen), and Ubuntu (linux-raspi).
https://lwn.net/Articles/945965/
Security Vulnerability fixed in Firefox 118.0.1, Firefox ESR 115.3.1, Firefox for Android 118.1.0, Firefox Focus for Android 118.1.0, and Thunderbird 115.3.1.
CVE-2023-5217: Heap buffer overflow in libvpx
Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.
https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/
Vulnerabilities in node.js affect Cloud Pak Sytem [CVE-2023-28154, CVE-2022-46175, CVE-2022-3517]
https://www.ibm.com/support/pages/node/7038776
IBM Instana Observability is vulnerable to arbitrary code execution
https://www.ibm.com/support/pages/node/7041863
IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from go-toolset and amicontained
https://www.ibm.com/support/pages/node/7039373
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2023-29409
https://www.ibm.com/support/pages/node/7032246
Vulnerabilities in XStream library affects IBM Engineering Test Management (ETM) (CVE-2022-40151)
https://www.ibm.com/support/pages/node/7042166
Vulnerabilities in xercesImpl library affects IBM Engineering Test Management (ETM) (CVE-2022-23437)
https://www.ibm.com/support/pages/node/7042167
The IBM\u00ae Engineering Lifecycle Engineering product is affected as Java deserialization filters (JEP 290) ignored during IBM ORB deserialization (CVE-2022-40609)
https://www.ibm.com/support/pages/node/7042172
Vulnerabilities in batik-all library affects IBM Engineering Test Management (ETM) (CVE-2022-44730, CVE-2022-44729)
https://www.ibm.com/support/pages/node/7042170
Multiple vulnerabilities in IBM Storage Defender \u2013 Data Protect
https://www.ibm.com/support/pages/node/7040913