Tageszusammenfassung - 01.02.2024

End-of-Day report

Timeframe: Mittwoch 31-01-2024 18:00 - Donnerstag 01-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

Exploit released for Android local elevation flaw impacting 7 OEMs

A proof-of-concept (PoC) exploit for a local privilege elevation flaw impacting at least seven Android original equipment manufacturers (OEMs) is now publicly available on GitHub. However, as the exploit requires local access, its release will mostly be helpful to researchers.

https://www.bleepingcomputer.com/news/security/exploit-released-for-android-local-elevation-flaw-impacting-7-oems/

Hackers push USB malware payloads via news, media hosting sites

A financially motivated threat actor using USB devices for initial infection has been found abusing legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads embedded in seemingly benign content.

https://www.bleepingcomputer.com/news/security/hackers-push-usb-malware-payloads-via-news-media-hosting-sites/

The Fun and Dangers of Top Level Domains (TLDs), (Wed, Jan 31st)

In the beginning, life was easy. We had a very limited set of top-level domains: .com, .edu, .gov, ..int, org, .mil, .net, .org, .edu. In addition, we had .arpa for infrastructure use and various two letter country level domains. [..] But yesterday, I noticed some news about a new interesting TLD that you may want to consider adopting: .internal.

https://isc.sans.edu/diary/rss/30608

FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network

The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network.

https://thehackernews.com/2024/02/fritzfrog-returns-with-log4shell-and.html

Stealthy Persistence & PrivEsc in Entra ID by using the Federated Auth Secondary Token-signing Cert.

Microsoft Entra ID (formerly known as Azure AD) offers a feature called federation that allows you to delegate authentication to another Identity Provider (IdP), such as AD FS with on-prem Active Directory. When users log in, they will be redirected to the external IdP for authentication, before being redirected back to Entra ID who will then verify the successful authentication on the external IdP and the user-s identity. [..] The external IdP signs the token with a private key, which has an associated public key stored in a certificate. [..] In this post, I-ll show you where this certificate can be found and how attackers can add it (given the necessary privileges) and use it to forge malicious tokens. Finally, I will provide some recommendations for defense in light of this.

https://medium.com/tenable-techblog/stealthy-persistence-privesc-in-entra-id-by-using-the-federated-auth-secondary-token-signing-cert-876b21261106

OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges

Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine. Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system.

https://blog.talosintelligence.com/oas-engine-deep-dive/

Vulnerabilities

Mastodon: Diebstahl beliebiger Identitäten im föderierten Kurznachrichtendienst

Angreifer können jeden beliebigen Account übernehmen und fälschen. [..] Die Sicherheitslücke hat die CVE-ID CVE-2024-23832 erhalten und hat immerhin 9,4 von 10 CVSS-Punkten. Es handelt sich nach Einschätzung des Mastodon-Teams um eine leicht aus der Ferne ausnutzbare Lücke, die keinerlei Vorbedingungen mitbringt. Weder muss der Angreifer über besondere Privilegien verfügen, noch einen legitimen Nutzer austricksen, etwa mit einem gefälschten Link. Weitere Details verraten die Entwickler erst am 15. Februar.

https://www.heise.de/-9615961

Security Update for Ivanti Connect Secure and Ivanti Policy Secure Gateways

Update 1 February: A patch addressing all known vulnerabilities is now available for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1.

https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways

Security updates for Thursday

Security updates have been issued by Debian (debian-security-support, firefox-esr, openjdk-11, and python-asyncssh), Fedora (glibc, python-templated-dictionary, thunderbird, and xorg-x11-server-Xwayland), Gentoo (Chromium, Google Chrome, Microsoft Edge and WebKitGTK+), Red Hat (firefox, gnutls, libssh, thunderbird, and tigervnc), SUSE (mbedtls, rear116, rear1172a, runc, squid, and tinyssh), and Ubuntu (glibc and runc).

https://lwn.net/Articles/960436/

Gessler GmbH WEB-MASTER

Successful exploitation of these vulnerabilities could allow a user to take control of the web management of the device. An attacker with access to the device could also extract and break the password hashes for all users stored on the device. CVSS v3 9.8

https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01

Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007

https://www.drupal.org/sa-contrib-2024-007

IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/

Lexmark Security Advisories

https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html

Juniper: (Critical) 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in JSA Applications

https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved-in-JSA-Applications

Juniper: (Medium) 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in 7.5.0 UP7 IF04

https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved-in-7-5-0-UP7-IF04

Wordfence Intelligence Weekly WordPress Vulnerability Report (January 22, 2024 to January 28, 2024)

https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-22-2024-to-january-28-2024/

AVEVA Edge products (formerly known as InduSoft Web Studio)

https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-03