End-of-Day report
Timeframe: Donnerstag 08-08-2024 18:00 - Freitag 09-08-2024 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs
An ongoing and widespread malware campaign force-installed malicious Google Chrome and Microsoft Edge browser extensions in over 300,000 browsers, modifying the browsers executables to hijack homepages and steal browsing history.
https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/
-Sinkclose- Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections
Researchers warn that a bug in AMD-s chips would allow attackers to root into some of the most privileged portions of a computer-and that it has persisted in the company-s processors for decades.
https://www.wired.com/story/amd-chip-sinkclose-flaw/
Windows Server durch PoC-Exploit für CVE-2024-38077 gefährdet
Nochmals ein Nachgang zum Juli 2024-Patchday, bei dem Microsoft die Schwachstelle CVE-2024-38077 im Windows-Remotedesktop-Lizenzierungsdienst (RDL) von Windows Server geschlossen hat. [..] es wurde ein Proof of Concept (PoC) für diese Schwachstelle veröffentlicht.
https://www.borncity.com/blog/2024/08/09/windows-server-durch-poc-exploit-fr-cve-2024-38077-gefhrdet/
How Hackers Extracted the -Keys to the Kingdom- to Clone HID Keycards
[HID]s actually known about the vulnerabilities [..] since sometime in 2023, when it was first informed about the technique by another security researcher [..] HID warned customers about the existence of a vulnerability that would allow hackers to clone keycards in an advisory in January, which includes recommendations about how customers can protect themselves-but it offered no software update at that time.
https://www.wired.com/story/hid-keycard-authentication-key-vulnerability/
ICANN reserves .internal for private use at the DNS level
The Internet Corporation for Assigned Names and Numbers (ICANN) has agreed to reserve the .internal top-level domain so it can become the equivalent to using the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 IPv4 address blocks for internal networks. Those blocks are reserved for private use by the Internet Assigned Numbers Authority, which requires they never appear on the public internet.
https://www.theregister.com/2024/08/08/dot_internal_ratified/
New attack against the [Linux kernel] SLUB allocator
Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.
https://lwn.net/Articles/984984/
Fake-Videos: Van der Bellen & Assinger werben nicht für Investmentplattformen
Derzeit erleben wir erneut eine Welle von Deepfake-Videos, in denen österreichische Prominente auf Facebook und Instagram für Investmentplattformen werben. Lassen Sie sich nicht täuschen: Weder Bundespräsident Alexander van der Bellen noch TV-Moderator Armin Assinger sind plötzlich Finanzexperten, die eine Investmentplattform entwickelt haben. Die Plattformen sind betrügerisch und die Videos wurden von Kriminellen erstellt.
https://www.watchlist-internet.at/news/fake-videos-van-der-bellen-assinger-werben-nicht-fuer-investmentplattformen/
Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!
This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. [..] These vulnerabilities were reported through the official security mailing list and were addressed by the Apache HTTP Server in the 2.4.60 update published on 2024-07-01.
https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-en/
Best Practices for Cisco Device Configuration
In recent incidents, CISA has seen malicious cyber actors acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature. CISA recommends organizations disable Smart Install and review NSA-s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance.
https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-device-configuration
Sicherheitsforscher verwandeln Sonos-One-Lautsprecher in Wanze
Angreifer können über das eingebaute Mikrofon von Sonos-One-Lautsprechern Gespräche mitschneiden. Mittlerweile ist das Sicherheitsproblem gelöst.
https://heise.de/-9830061
Vulnerabilities
Schwachstellen in 1Password gefährden MacOS-Nutzer [CVE-2024-42218, CVE-2024-42219]
In 1Password 8 für Mac klaffen zwei Sicherheitslücken, die es Angreifern ermöglichen, Tresorelemente von MacOS-Nutzern abzugreifen. [..] Damit ein Angriff gelingt, muss ein Angreifer allerdings bei beiden Lücken bereits in der Lage sein, auf dem Zielsystem eine eigene Software auszuführen.
https://www.golem.de/news/datenabfluss-moeglich-schwachstellen-in-1password-gefaehrden-macos-nutzer-2408-187895.html
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability [CVE-2024-38219]
Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment. Fxied in Microsoft Edge Version 127.0.2651.98 released 8/8/2024.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38219
Microsoft Edge (HTML-based) Memory Corruption Vulnerability [CVE-2024-38218]
The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Fixed in Microsoft Edge Version 127.0.2651.98 released 8/8/2024.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38218
Multiple vulnerabilities in LogSign
https://www.zerodayinitiative.com/advisories/ZDI-24-1102/
http://www.zerodayinitiative.com/advisories/ZDI-24-1103/
http://www.zerodayinitiative.com/advisories/ZDI-24-1104/
https://www.zerodayinitiative.com/advisories/ZDI-24-1105/
https://www.zerodayinitiative.com/advisories/ZDI-24-1106/
https://support.logsign.net/hc/en-us/articles/20617133769362-07-08-2024-Version-6-4-23-Release-Notes
PostgreSQL relation replacement during pg_dump executes arbitrary SQL [CVE-2024-7348]
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
https://www.postgresql.org/support/security/CVE-2024-7348/
Security updates for Friday
Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, salt.
https://lwn.net/Articles/984966/
New FileSender 2.49 release with major changes
We are happy to announce the release of FileSender 2.49. This new release includes security updates that you should install. Also, it offers a few features and improvements, as well as many bug fixes.
https://connect.geant.org/2024/08/08/new-filesender-2-49-release-with-major-changes
0.0.0.0 Day-Schwachstelle ermöglicht seit 18 Jahren Angriffe auf Browser
Sicherheitsforscher haben offen gelegt, dass Hacker einen seit 18 Jahren bekannten, alten Fehler in Safari, Chrome und Firefox ausgenutzt haben, um in private Netzwerke einzudringen. Die als "0.0.0.0 Day" bezeichnete Sicherheitslücke ermöglicht es böswilligen Websites, die Browsersicherheit zu umgehen und mit Diensten zu interagieren, die im lokalen Netzwerk einer Organisation laufen. Dies kann zu unautorisiertem Zugriff und Remotecodeausführung auf lokalen Diensten durch Angreifer außerhalb des Netzwerks führen. Die Browserhersteller beginnen nun, diese Adresse zu blockieren.
https://www.borncity.com/blog/2024/08/09/0-0-0-0-day-schwachstelle-ermglicht-seit-18-jahren-angriffe-auf-browser/
RaonSecure Product Security Advisory
Overview RaonSecure has released an update to address a vulnerability in their products. Users of affected versions are advised to update to the latest version. Affected Products TouchEn nxKey version: ~ 1.0.0.87 (included)
https://asec.ahnlab.com/en/82372/
LibreOffice: Ability to trust not validated macro signatures removed in high security mode [CVE-2024-6472]
https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Vim-minimal Package Issues
https://www.ibm.com/support/pages/node/7164174
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2024.
https://www.ibm.com/support/pages/node/7161907
Multiple vulnerabilities in IBM Business Automation Workflow Machine Learning Server are addressed with 24.0.0-IF001
https://www.ibm.com/support/pages/node/7164164
IBM Cloud Pak for Data is vulnerable to unknown impact and attack vector due to Python certifi ( CVE-2022-23491 )
https://www.ibm.com/support/pages/node/7164180
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues
https://www.ibm.com/support/pages/node/7164175
IBM Cloud Pak for Data is vulnerable to session hijacking due to Node.js passport module ( CVE-2022-25896 )
https://www.ibm.com/support/pages/node/7164201
IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js http-cache-semantics module ( CVE-2022-25881 )
https://www.ibm.com/support/pages/node/7164225
IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js cookiejar module ( CVE-2022-25901 )
https://www.ibm.com/support/pages/node/7164200
IBM Cloud Pak for Data is vulnerable to cross-site scripting due to Jinja2 ( CVE-2024-34064 )
https://www.ibm.com/support/pages/node/7164204
IBM Cloud Pak for Data is vulnerable to denial of service due to Pallets Werkzeug ( CVE-2023-46136 )
https://www.ibm.com/support/pages/node/7164208
IBM Cloud Pak for Data is vulnerable to denial of service due to Express.js ( CVE-2022-24999 )
https://www.ibm.com/support/pages/node/7164217
IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler ( CVE-2022-41724 CVE-2021-34558 )
https://www.ibm.com/support/pages/node/7164255
IBM Cloud Pak for Data is vulnerable to denial of service due to Rack ( CVE-2024-26146 )
https://www.ibm.com/support/pages/node/7164274
IBM Cloud Pak for Data is vulnerable to exposing sensitive information due to Masterminds GoUtils ( CVE-2021-4238 )
https://www.ibm.com/support/pages/node/7164234
IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js semver ( CVE-2022-25883 )
https://www.ibm.com/support/pages/node/7164266
IBM Cloud Pak for Data is vulnerable to regular expression denial of service due to Rack ( CVE-2023-27539 )
https://www.ibm.com/support/pages/node/7164269
This Power System update is being released to address CVE-2024-41660
https://www.ibm.com/support/pages/node/7163146
IBM Aspera Shares improved security for user session handling (CVE-2023-38018)
https://www.ibm.com/support/pages/node/7164325
The IBM Engineering Lifecycle Engineering product using the -Xgc:concurrentScavenge option on IBM Z is vulnerable to Buffer overflow in GC
https://www.ibm.com/support/pages/node/7164658
The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to cross-site scripting (CVE-2024-35153)
https://www.ibm.com/support/pages/node/7164651
The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to remote code execution (CVE-2024-35154)
https://www.ibm.com/support/pages/node/7164649
The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to identity spoofing (CVE-2024-37532)
https://www.ibm.com/support/pages/node/7164653
IBM Sterling Connect:Direct Web Service is affected by Java JWT vulnerability
https://www.ibm.com/support/pages/node/7164709
There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2024-25710, CVE-2024-26308)
https://www.ibm.com/support/pages/node/7164810
There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Asset Management application (CVE-2024-25710, CVE-2024-26308)
https://www.ibm.com/support/pages/node/7164809
Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-27268 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7164814
Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-22354 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7164813
Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2023-51775 a denial of service due to jose4j
https://www.ibm.com/support/pages/node/7164812
Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to multiple CVEs used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7164811
Multiple Vulnerabilities in XCC affect IBM Cloud Pak System
https://www.ibm.com/support/pages/node/7147906