Tageszusammenfassung - 11.06.2024

End-of-Day report

Timeframe: Montag 10-06-2024 18:00 - Dienstag 11-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Gitloker attacks abuse GitHub notifications to push malicious oAuth apps

Threat actors impersonate GitHubs security and recruitment teams in phishing attacks to hijack repositories using malicious OAuth apps in an ongoing extortion campaign wiping compromised repos.

https://www.bleepingcomputer.com/news/security/gitloker-attacks-abuse-github-notifications-to-push-malicious-oauth-apps/

Arm warns of actively exploited flaw in Mali GPU kernel drivers

Arm has issued a security bulletin warning of a memory-related vulnerability in Bifrost and Valhall GPU kernel drivers that is being exploited in the wild.

https://www.bleepingcomputer.com/news/security/arm-warns-of-actively-exploited-flaw-in-mali-gpu-kernel-drivers/

QR code SQL injection and other vulnerabilities in a popular biometric terminal

The report analyzes the security properties of a popular biometric access control terminal made by ZkTeco and describes vulnerabilities found in it.

https://securelist.com/biometric-terminal-vulnerabilities/112800/

A Brief History of SmokeLoader, Part 1

In May 2024, Zscaler ThreatLabz technical analysis of SmokeLoader supported an international law enforcement action known as Operation Endgame, which remotely disinfected tens of thousands of infections. In the process of providing assistance to law enforcement for the operation, ThreatLabz has documented SmokeLoader for nearly all known versions. In this two-part blog series, we explore the evolution of SmokeLoader.

https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-part-1

-Hallo Mama/Hallo Papa--Nachrichten zielen auf persönliche Fotos

Vorsicht, wenn Ihr Kind plötzlich von einer unbekannten Nummer schreibt und behauptet, dies sei nun die neue Nummer. Dahinter stecken Kriminelle, die Ihnen Geld stehlen wollen. Außerdem bittet -Ihr Kind- um die Zusendung von persönlichen Fotos. Diese werden von den Kriminellen vermutlich für weitere Betrugsmaschen missbraucht.

https://www.watchlist-internet.at/news/hallo-mama-hallo-papa-nachrichten-zielen-auf-persoenliche-fotos/

Enumerating System Management Interrupts

System Management Interrupts (SMI) provide a mechanism for entering System Management Mode (SMM) which primarily implements platform-specific functions related to power management. SMM is a privileged execution mode with access to the complete physical memory of the system, and to which the operating system has no visibility.

https://research.nccgroup.com/2024/06/10/enumerating-system-management-interrupts/

BIOS-Update 01.17.00 macht HP Probooks 445 G7 und 455 G7 komplett unbrauchbar

Hewlett Packard (HP) hat eine kaputte BIOS-Version veröffentlicht, die Notebooks der Modelle HP Probook 445 G7 455 G7 aus dem Jahr 2020 zum teuren Briefbeschwerer machen. [..] Dieses BIOS 01.17.00.Update soll eine kritische Sicherheitslücke schließen, was auch so vom Support Assistant als kritisches Update gelistet wurde, welches man möglichst schnell installieren sollte.

https://www.borncity.com/blog/2024/06/11/bios-update-01-17-00-macht-hp-probooks-445-g7-und-455-g7-komplett-unbrauchbar/

Vulnerabilities

Netgear WNR614 flaws allow device takeover, no fix available

Researchers found half a dozen vulnerabilities of varying severity impacting Netgear WNR614 N300, a budget-friendly router that proved popular among home users and small businesses.

https://www.bleepingcomputer.com/news/security/netgear-wnr614-flaws-allow-device-takeover-no-fix-available/

(0Day) Microsoft Windows Incorrect Permission Assignment Information Disclosure Vulnerability

This vulnerability allows local attackers to disclose sensitive information or to create a denial-of-service condition on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Furthermore, the vulnerable behavior occurs only in certain hardware configurations. [..] Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.

https://www.zerodayinitiative.com/advisories/ZDI-24-598/

Security updates for Tuesday

Security updates have been issued by AlmaLinux (ruby:3.3), Fedora (efifs, libvirt, podman-tui, prometheus-podman-exporter, and strongswan), Red Hat (firefox, idm:DL1, ipa, nghttp2, and thunderbird), SUSE (aws-nitro-enclaves-cli, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, frr, glibc, go1.21, go1.22, gstreamer-plugins-base, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, libxml2, mariadb, poppler, python-Brotli, python-docker, python-idna, rmt-server, skopeo, sssd, unbound, unrar, util-linux, and webkit2gtk3), and Ubuntu (giflib, libphp-adodb, linux-gkeop, linux-gkeop-5.15, linux-kvm, linux-laptop, linux-oem-6.8, nodejs, and tiff).

https://lwn.net/Articles/977939/

CVE-2024-28995: Trivially Exploitable Information Disclosure Vulnerability in SolarWinds Serv-U

On June 5, 2024, SolarWinds disclosed CVE-2024-28995, a high-severity directory traversal vulnerability affecting the Serv-U file transfer server. Successful exploitation of the vulnerability allows unauthenticated attackers to read sensitive files on the host.

https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-exploitable-information-disclosure-vulnerability-in-solarwinds-serv-u/

SAP liefert am Patchday Sicherheitskorrekturen für zwei hochriskante Lücken

SAP warnt zum Juni-Patchday vor zehn neuen Sicherheitslücken. Aktualisierungen zum Abdichten der Lecks stehen bereit.

https://heise.de/-9757338

Avast Antivirus: Angreifer können Rechte durch Schwachstelle ausweiten

Avast Antivirus ermöglichte bösartigen Akteuren aufgrund einer Sicherheitslücke, ihre Rechte im System auszuweiten. Aktualisierte Software ist verfügbar und sollte idealerweise bereits mittels automatischem Update-Mechanismus verteilt worden sein. In der Auflistung der Sicherheitsmitteilungen von Norton (unter dieser Gen Digital Inc.-Marke sind Avast-, Avira-, AVG- und Norton Security-Produkte inzwischen gruppiert) findet sich nichts zu dieser Lücke, jedoch hat NortonLifeLock als CNA einen entsprechenden CVE-Eintrag erstellt.

https://heise.de/-9757748

Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2024-5661

https://support.citrix.com/article/CTX677100/xenserver-and-citrix-hypervisor-security-update-for-cve20245661

Mozilla: Security Vulnerabilities fixed in Firefox 127

https://www.mozilla.org/en-US/security/advisories/mfsa2024-25/

Phoenix Contact: Unbounded growth of OpenSSL session cache in multiple FL MGUARD devices

https://cert.vde.com/de/advisories/VDE-2024-029/

SSA-900277 V1.0: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0012 and V2024.0001

https://cert-portal.siemens.com/productcert/html/ssa-900277.html

SSA-879734 V1.0: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1

https://cert-portal.siemens.com/productcert/html/ssa-879734.html

SSA-771940 V1.0: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go

https://cert-portal.siemens.com/productcert/html/ssa-771940.html

SSA-690517 V1.0: Multiple Vulnerabilities in SCALANCE W700 802.11 AX Family

https://cert-portal.siemens.com/productcert/html/ssa-690517.html

SSA-625862 V1.0: Multiple Vulnerabilities in Third-Party Components in SIMATIC CP 1542SP-1 and CP 1543SP-1 before V2.3

https://cert-portal.siemens.com/productcert/html/ssa-625862.html

SSA-620338 V1.0: Buffer Overflow Vulnerability in SICAM AK3 / BC / TM

https://cert-portal.siemens.com/productcert/html/ssa-620338.html

SSA-540640 V1.0: Improper Privilege Management Vulnerability in Mendix Runtime

https://cert-portal.siemens.com/productcert/html/ssa-540640.html

SSA-481506 V1.0: Information Disclosure Vulnerability in SIMATIC S7-200 SMART Devices

https://cert-portal.siemens.com/productcert/html/ssa-481506.html

SSA-341067 V1.0: Multiple vulnerabilities in third-party components in ST7 ScadaConnect before V1.1

https://cert-portal.siemens.com/productcert/html/ssa-341067.html

SSA-337522 V1.0: Multiple Vulnerabilities in TIM 1531 IRC before V2.4.8

https://cert-portal.siemens.com/productcert/html/ssa-337522.html

SSA-319319 V1.0: Denial of Service Vulnerability in TIA Administrator

https://cert-portal.siemens.com/productcert/html/ssa-319319.html

SSA-238730 V1.0: Out-of-Bounds Write Vulnerabilities in SITOP UPS1600 before V2.5.4

https://cert-portal.siemens.com/productcert/html/ssa-238730.html

SSA-196737 V1.0: Multiple Vulnerabilities in SINEC Traffic Analyzer before V1.2

https://cert-portal.siemens.com/productcert/html/ssa-196737.html

SSA-024584 V1.0: Authentication Bypass Vulnerability in PowerSys before V3.11

https://cert-portal.siemens.com/productcert/html/ssa-024584.html

Fortinet: Blind SQL Injection

https://fortiguard.fortinet.com/psirt/FG-IR-24-128

Fortinet: Buffer overflow in fgfmd

https://fortiguard.fortinet.com/psirt/FG-IR-24-036

Fortinet: FortiOS/FortiProxy - XSS in reboot page

https://fortiguard.fortinet.com/psirt/FG-IR-23-471

Fortinet: FortiSOAR is vulnerable to sql injection in Event Auth API via uuid parameter

https://fortiguard.fortinet.com/psirt/FG-IR-23-495

Fortinet: Multiple buffer overflows in diag npu command

https://fortiguard.fortinet.com/psirt/FG-IR-23-460

Fortinet: Stack buffer overflow on bluetooth write feature

https://fortiguard.fortinet.com/psirt/FG-IR-23-356

Fortinet: TunnelVision - CVE-2024-3661

https://fortiguard.fortinet.com/psirt/FG-IR-24-170

Fortinet: Weak key derivation for backup file

https://fortiguard.fortinet.com/psirt/FG-IR-23-423