End-of-Day report
Timeframe: Montag 10-06-2024 18:00 - Dienstag 11-06-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Gitloker attacks abuse GitHub notifications to push malicious oAuth apps
Threat actors impersonate GitHubs security and recruitment teams in phishing attacks to hijack repositories using malicious OAuth apps in an ongoing extortion campaign wiping compromised repos.
https://www.bleepingcomputer.com/news/security/gitloker-attacks-abuse-github-notifications-to-push-malicious-oauth-apps/
Arm warns of actively exploited flaw in Mali GPU kernel drivers
Arm has issued a security bulletin warning of a memory-related vulnerability in Bifrost and Valhall GPU kernel drivers that is being exploited in the wild.
https://www.bleepingcomputer.com/news/security/arm-warns-of-actively-exploited-flaw-in-mali-gpu-kernel-drivers/
QR code SQL injection and other vulnerabilities in a popular biometric terminal
The report analyzes the security properties of a popular biometric access control terminal made by ZkTeco and describes vulnerabilities found in it.
https://securelist.com/biometric-terminal-vulnerabilities/112800/
A Brief History of SmokeLoader, Part 1
In May 2024, Zscaler ThreatLabz technical analysis of SmokeLoader supported an international law enforcement action known as Operation Endgame, which remotely disinfected tens of thousands of infections. In the process of providing assistance to law enforcement for the operation, ThreatLabz has documented SmokeLoader for nearly all known versions. In this two-part blog series, we explore the evolution of SmokeLoader.
https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-part-1
-Hallo Mama/Hallo Papa--Nachrichten zielen auf persönliche Fotos
Vorsicht, wenn Ihr Kind plötzlich von einer unbekannten Nummer schreibt und behauptet, dies sei nun die neue Nummer. Dahinter stecken Kriminelle, die Ihnen Geld stehlen wollen. Außerdem bittet -Ihr Kind- um die Zusendung von persönlichen Fotos. Diese werden von den Kriminellen vermutlich für weitere Betrugsmaschen missbraucht.
https://www.watchlist-internet.at/news/hallo-mama-hallo-papa-nachrichten-zielen-auf-persoenliche-fotos/
Enumerating System Management Interrupts
System Management Interrupts (SMI) provide a mechanism for entering System Management Mode (SMM) which primarily implements platform-specific functions related to power management. SMM is a privileged execution mode with access to the complete physical memory of the system, and to which the operating system has no visibility.
https://research.nccgroup.com/2024/06/10/enumerating-system-management-interrupts/
BIOS-Update 01.17.00 macht HP Probooks 445 G7 und 455 G7 komplett unbrauchbar
Hewlett Packard (HP) hat eine kaputte BIOS-Version veröffentlicht, die Notebooks der Modelle HP Probook 445 G7 455 G7 aus dem Jahr 2020 zum teuren Briefbeschwerer machen. [..] Dieses BIOS 01.17.00.Update soll eine kritische Sicherheitslücke schließen, was auch so vom Support Assistant als kritisches Update gelistet wurde, welches man möglichst schnell installieren sollte.
https://www.borncity.com/blog/2024/06/11/bios-update-01-17-00-macht-hp-probooks-445-g7-und-455-g7-komplett-unbrauchbar/
Vulnerabilities
Netgear WNR614 flaws allow device takeover, no fix available
Researchers found half a dozen vulnerabilities of varying severity impacting Netgear WNR614 N300, a budget-friendly router that proved popular among home users and small businesses.
https://www.bleepingcomputer.com/news/security/netgear-wnr614-flaws-allow-device-takeover-no-fix-available/
(0Day) Microsoft Windows Incorrect Permission Assignment Information Disclosure Vulnerability
This vulnerability allows local attackers to disclose sensitive information or to create a denial-of-service condition on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Furthermore, the vulnerable behavior occurs only in certain hardware configurations. [..] Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.
https://www.zerodayinitiative.com/advisories/ZDI-24-598/
Security updates for Tuesday
Security updates have been issued by AlmaLinux (ruby:3.3), Fedora (efifs, libvirt, podman-tui, prometheus-podman-exporter, and strongswan), Red Hat (firefox, idm:DL1, ipa, nghttp2, and thunderbird), SUSE (aws-nitro-enclaves-cli, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, frr, glibc, go1.21, go1.22, gstreamer-plugins-base, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, libxml2, mariadb, poppler, python-Brotli, python-docker, python-idna, rmt-server, skopeo, sssd, unbound, unrar, util-linux, and webkit2gtk3), and Ubuntu (giflib, libphp-adodb, linux-gkeop, linux-gkeop-5.15, linux-kvm, linux-laptop, linux-oem-6.8, nodejs, and tiff).
https://lwn.net/Articles/977939/
CVE-2024-28995: Trivially Exploitable Information Disclosure Vulnerability in SolarWinds Serv-U
On June 5, 2024, SolarWinds disclosed CVE-2024-28995, a high-severity directory traversal vulnerability affecting the Serv-U file transfer server. Successful exploitation of the vulnerability allows unauthenticated attackers to read sensitive files on the host.
https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-exploitable-information-disclosure-vulnerability-in-solarwinds-serv-u/
SAP liefert am Patchday Sicherheitskorrekturen für zwei hochriskante Lücken
SAP warnt zum Juni-Patchday vor zehn neuen Sicherheitslücken. Aktualisierungen zum Abdichten der Lecks stehen bereit.
https://heise.de/-9757338
Avast Antivirus: Angreifer können Rechte durch Schwachstelle ausweiten
Avast Antivirus ermöglichte bösartigen Akteuren aufgrund einer Sicherheitslücke, ihre Rechte im System auszuweiten. Aktualisierte Software ist verfügbar und sollte idealerweise bereits mittels automatischem Update-Mechanismus verteilt worden sein. In der Auflistung der Sicherheitsmitteilungen von Norton (unter dieser Gen Digital Inc.-Marke sind Avast-, Avira-, AVG- und Norton Security-Produkte inzwischen gruppiert) findet sich nichts zu dieser Lücke, jedoch hat NortonLifeLock als CNA einen entsprechenden CVE-Eintrag erstellt.
https://heise.de/-9757748
Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2024-5661
https://support.citrix.com/article/CTX677100/xenserver-and-citrix-hypervisor-security-update-for-cve20245661
Mozilla: Security Vulnerabilities fixed in Firefox 127
https://www.mozilla.org/en-US/security/advisories/mfsa2024-25/
Phoenix Contact: Unbounded growth of OpenSSL session cache in multiple FL MGUARD devices
https://cert.vde.com/de/advisories/VDE-2024-029/
Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch
https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-03
AVEVA PI Asset Framework Client
https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03
AVEVA PI Web API
https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02
Rockwell Automation ControlLogix, GuardLogix, and CompactLogix
https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-01
Intrado 911 Emergency Gateway
https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-04
MicroDicom DICOM Viewer
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-163-01
SSA-900277 V1.0: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0012 and V2024.0001
https://cert-portal.siemens.com/productcert/html/ssa-900277.html
SSA-879734 V1.0: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1
https://cert-portal.siemens.com/productcert/html/ssa-879734.html
SSA-771940 V1.0: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go
https://cert-portal.siemens.com/productcert/html/ssa-771940.html
SSA-690517 V1.0: Multiple Vulnerabilities in SCALANCE W700 802.11 AX Family
https://cert-portal.siemens.com/productcert/html/ssa-690517.html
SSA-625862 V1.0: Multiple Vulnerabilities in Third-Party Components in SIMATIC CP 1542SP-1 and CP 1543SP-1 before V2.3
https://cert-portal.siemens.com/productcert/html/ssa-625862.html
SSA-620338 V1.0: Buffer Overflow Vulnerability in SICAM AK3 / BC / TM
https://cert-portal.siemens.com/productcert/html/ssa-620338.html
SSA-540640 V1.0: Improper Privilege Management Vulnerability in Mendix Runtime
https://cert-portal.siemens.com/productcert/html/ssa-540640.html
SSA-481506 V1.0: Information Disclosure Vulnerability in SIMATIC S7-200 SMART Devices
https://cert-portal.siemens.com/productcert/html/ssa-481506.html
SSA-341067 V1.0: Multiple vulnerabilities in third-party components in ST7 ScadaConnect before V1.1
https://cert-portal.siemens.com/productcert/html/ssa-341067.html
SSA-337522 V1.0: Multiple Vulnerabilities in TIM 1531 IRC before V2.4.8
https://cert-portal.siemens.com/productcert/html/ssa-337522.html
SSA-319319 V1.0: Denial of Service Vulnerability in TIA Administrator
https://cert-portal.siemens.com/productcert/html/ssa-319319.html
SSA-238730 V1.0: Out-of-Bounds Write Vulnerabilities in SITOP UPS1600 before V2.5.4
https://cert-portal.siemens.com/productcert/html/ssa-238730.html
SSA-196737 V1.0: Multiple Vulnerabilities in SINEC Traffic Analyzer before V1.2
https://cert-portal.siemens.com/productcert/html/ssa-196737.html
SSA-024584 V1.0: Authentication Bypass Vulnerability in PowerSys before V3.11
https://cert-portal.siemens.com/productcert/html/ssa-024584.html
Fortinet: Blind SQL Injection
https://fortiguard.fortinet.com/psirt/FG-IR-24-128
Fortinet: Buffer overflow in fgfmd
https://fortiguard.fortinet.com/psirt/FG-IR-24-036
Fortinet: FortiOS/FortiProxy - XSS in reboot page
https://fortiguard.fortinet.com/psirt/FG-IR-23-471
Fortinet: FortiSOAR is vulnerable to sql injection in Event Auth API via uuid parameter
https://fortiguard.fortinet.com/psirt/FG-IR-23-495
Fortinet: Multiple buffer overflows in diag npu command
https://fortiguard.fortinet.com/psirt/FG-IR-23-460
Fortinet: Stack buffer overflow on bluetooth write feature
https://fortiguard.fortinet.com/psirt/FG-IR-23-356
Fortinet: TunnelVision - CVE-2024-3661
https://fortiguard.fortinet.com/psirt/FG-IR-24-170
Fortinet: Weak key derivation for backup file
https://fortiguard.fortinet.com/psirt/FG-IR-23-423