Tageszusammenfassung - 09.08.2024

End-of-Day report

Timeframe: Donnerstag 08-08-2024 18:00 - Freitag 09-08-2024 18:00 Handler: Robert Waldner Co-Handler: n/a

News

Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs

An ongoing and widespread malware campaign force-installed malicious Google Chrome and Microsoft Edge browser extensions in over 300,000 browsers, modifying the browsers executables to hijack homepages and steal browsing history.

https://www.bleepingcomputer.com/news/security/malware-force-installs-chrome-extensions-on-300-000-browsers-patches-dlls/


-Sinkclose- Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections

Researchers warn that a bug in AMD-s chips would allow attackers to root into some of the most privileged portions of a computer-and that it has persisted in the company-s processors for decades.

https://www.wired.com/story/amd-chip-sinkclose-flaw/


Windows Server durch PoC-Exploit für CVE-2024-38077 gefährdet

Nochmals ein Nachgang zum Juli 2024-Patchday, bei dem Microsoft die Schwachstelle CVE-2024-38077 im Windows-Remotedesktop-Lizenzierungsdienst (RDL) von Windows Server geschlossen hat. [..] es wurde ein Proof of Concept (PoC) für diese Schwachstelle veröffentlicht.

https://www.borncity.com/blog/2024/08/09/windows-server-durch-poc-exploit-fr-cve-2024-38077-gefhrdet/


How Hackers Extracted the -Keys to the Kingdom- to Clone HID Keycards

[HID]s actually known about the vulnerabilities [..] since sometime in 2023, when it was first informed about the technique by another security researcher [..] HID warned customers about the existence of a vulnerability that would allow hackers to clone keycards in an advisory in January, which includes recommendations about how customers can protect themselves-but it offered no software update at that time.

https://www.wired.com/story/hid-keycard-authentication-key-vulnerability/


ICANN reserves .internal for private use at the DNS level

The Internet Corporation for Assigned Names and Numbers (ICANN) has agreed to reserve the .internal top-level domain so it can become the equivalent to using the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 IPv4 address blocks for internal networks. Those blocks are reserved for private use by the Internet Assigned Numbers Authority, which requires they never appear on the public internet.

https://www.theregister.com/2024/08/08/dot_internal_ratified/


New attack against the [Linux kernel] SLUB allocator

Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.

https://lwn.net/Articles/984984/


Fake-Videos: Van der Bellen & Assinger werben nicht für Investmentplattformen

Derzeit erleben wir erneut eine Welle von Deepfake-Videos, in denen österreichische Prominente auf Facebook und Instagram für Investmentplattformen werben. Lassen Sie sich nicht täuschen: Weder Bundespräsident Alexander van der Bellen noch TV-Moderator Armin Assinger sind plötzlich Finanzexperten, die eine Investmentplattform entwickelt haben. Die Plattformen sind betrügerisch und die Videos wurden von Kriminellen erstellt.

https://www.watchlist-internet.at/news/fake-videos-van-der-bellen-assinger-werben-nicht-fuer-investmentplattformen/


Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. [..] These vulnerabilities were reported through the official security mailing list and were addressed by the Apache HTTP Server in the 2.4.60 update published on 2024-07-01.

https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semantic-ambiguity-in-apache-http-server-en/


Best Practices for Cisco Device Configuration

In recent incidents, CISA has seen malicious cyber actors acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature. CISA recommends organizations disable Smart Install and review NSA-s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance.

https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-device-configuration


Sicherheitsforscher verwandeln Sonos-One-Lautsprecher in Wanze

Angreifer können über das eingebaute Mikrofon von Sonos-One-Lautsprechern Gespräche mitschneiden. Mittlerweile ist das Sicherheitsproblem gelöst.

https://heise.de/-9830061

Vulnerabilities

Schwachstellen in 1Password gefährden MacOS-Nutzer [CVE-2024-42218, CVE-2024-42219]

In 1Password 8 für Mac klaffen zwei Sicherheitslücken, die es Angreifern ermöglichen, Tresorelemente von MacOS-Nutzern abzugreifen. [..] Damit ein Angriff gelingt, muss ein Angreifer allerdings bei beiden Lücken bereits in der Lage sein, auf dem Zielsystem eine eigene Software auszuführen.

https://www.golem.de/news/datenabfluss-moeglich-schwachstellen-in-1password-gefaehrden-macos-nutzer-2408-187895.html


Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability [CVE-2024-38219]

Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment. Fxied in Microsoft Edge Version 127.0.2651.98 released 8/8/2024.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38219


Microsoft Edge (HTML-based) Memory Corruption Vulnerability [CVE-2024-38218]

The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Fixed in Microsoft Edge Version 127.0.2651.98 released 8/8/2024.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38218


Multiple vulnerabilities in LogSign

https://www.zerodayinitiative.com/advisories/ZDI-24-1102/


http://www.zerodayinitiative.com/advisories/ZDI-24-1103/ http://www.zerodayinitiative.com/advisories/ZDI-24-1104/ https://www.zerodayinitiative.com/advisories/ZDI-24-1105/ https://www.zerodayinitiative.com/advisories/ZDI-24-1106/

https://support.logsign.net/hc/en-us/articles/20617133769362-07-08-2024-Version-6-4-23-Release-Notes


PostgreSQL relation replacement during pg_dump executes arbitrary SQL [CVE-2024-7348]

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

https://www.postgresql.org/support/security/CVE-2024-7348/


Security updates for Friday

Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, salt.

https://lwn.net/Articles/984966/


New FileSender 2.49 release with major changes

We are happy to announce the release of FileSender 2.49. This new release includes security updates that you should install. Also, it offers a few features and improvements, as well as many bug fixes.

https://connect.geant.org/2024/08/08/new-filesender-2-49-release-with-major-changes


0.0.0.0 Day-Schwachstelle ermöglicht seit 18 Jahren Angriffe auf Browser

Sicherheitsforscher haben offen gelegt, dass Hacker einen seit 18 Jahren bekannten, alten Fehler in Safari, Chrome und Firefox ausgenutzt haben, um in private Netzwerke einzudringen. Die als "0.0.0.0 Day" bezeichnete Sicherheitslücke ermöglicht es böswilligen Websites, die Browsersicherheit zu umgehen und mit Diensten zu interagieren, die im lokalen Netzwerk einer Organisation laufen. Dies kann zu unautorisiertem Zugriff und Remotecodeausführung auf lokalen Diensten durch Angreifer außerhalb des Netzwerks führen. Die Browserhersteller beginnen nun, diese Adresse zu blockieren.

https://www.borncity.com/blog/2024/08/09/0-0-0-0-day-schwachstelle-ermglicht-seit-18-jahren-angriffe-auf-browser/


RaonSecure Product Security Advisory

Overview RaonSecure has released an update to address a vulnerability in their products. Users of affected versions are advised to update to the latest version. Affected Products TouchEn nxKey version: ~ 1.0.0.87 (included)

https://asec.ahnlab.com/en/82372/


LibreOffice: Ability to trust not validated macro signatures removed in high security mode [CVE-2024-6472]

https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472


IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Vim-minimal Package Issues

https://www.ibm.com/support/pages/node/7164174


Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2024.

https://www.ibm.com/support/pages/node/7161907


Multiple vulnerabilities in IBM Business Automation Workflow Machine Learning Server are addressed with 24.0.0-IF001

https://www.ibm.com/support/pages/node/7164164


IBM Cloud Pak for Data is vulnerable to unknown impact and attack vector due to Python certifi ( CVE-2022-23491 )

https://www.ibm.com/support/pages/node/7164180


IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues

https://www.ibm.com/support/pages/node/7164175


IBM Cloud Pak for Data is vulnerable to session hijacking due to Node.js passport module ( CVE-2022-25896 )

https://www.ibm.com/support/pages/node/7164201


IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js http-cache-semantics module ( CVE-2022-25881 )

https://www.ibm.com/support/pages/node/7164225


IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js cookiejar module ( CVE-2022-25901 )

https://www.ibm.com/support/pages/node/7164200


IBM Cloud Pak for Data is vulnerable to cross-site scripting due to Jinja2 ( CVE-2024-34064 )

https://www.ibm.com/support/pages/node/7164204


IBM Cloud Pak for Data is vulnerable to denial of service due to Pallets Werkzeug ( CVE-2023-46136 )

https://www.ibm.com/support/pages/node/7164208


IBM Cloud Pak for Data is vulnerable to denial of service due to Express.js ( CVE-2022-24999 )

https://www.ibm.com/support/pages/node/7164217


IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler ( CVE-2022-41724 CVE-2021-34558 )

https://www.ibm.com/support/pages/node/7164255


IBM Cloud Pak for Data is vulnerable to denial of service due to Rack ( CVE-2024-26146 )

https://www.ibm.com/support/pages/node/7164274


IBM Cloud Pak for Data is vulnerable to exposing sensitive information due to Masterminds GoUtils ( CVE-2021-4238 )

https://www.ibm.com/support/pages/node/7164234


IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js semver ( CVE-2022-25883 )

https://www.ibm.com/support/pages/node/7164266


IBM Cloud Pak for Data is vulnerable to regular expression denial of service due to Rack ( CVE-2023-27539 )

https://www.ibm.com/support/pages/node/7164269


This Power System update is being released to address CVE-2024-41660

https://www.ibm.com/support/pages/node/7163146


IBM Aspera Shares improved security for user session handling (CVE-2023-38018)

https://www.ibm.com/support/pages/node/7164325


The IBM Engineering Lifecycle Engineering product using the -Xgc:concurrentScavenge option on IBM Z is vulnerable to Buffer overflow in GC

https://www.ibm.com/support/pages/node/7164658


The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to cross-site scripting (CVE-2024-35153)

https://www.ibm.com/support/pages/node/7164651


The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to remote code execution (CVE-2024-35154)

https://www.ibm.com/support/pages/node/7164649


The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to identity spoofing (CVE-2024-37532)

https://www.ibm.com/support/pages/node/7164653


IBM Sterling Connect:Direct Web Service is affected by Java JWT vulnerability

https://www.ibm.com/support/pages/node/7164709


There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2024-25710, CVE-2024-26308)

https://www.ibm.com/support/pages/node/7164810


There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Asset Management application (CVE-2024-25710, CVE-2024-26308)

https://www.ibm.com/support/pages/node/7164809


Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-27268 used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/7164814


Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-22354 used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/7164813


Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2023-51775 a denial of service due to jose4j

https://www.ibm.com/support/pages/node/7164812


Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to multiple CVEs used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/7164811


Multiple Vulnerabilities in XCC affect IBM Cloud Pak System

https://www.ibm.com/support/pages/node/7147906