Tageszusammenfassung - 09.05.2023

End-of-Day report

Timeframe: Montag 08-05-2023 18:00 - Dienstag 09-05-2023 18:00 Handler: Robert Waldner Co-Handler: n/a

News

A new, stealthier type of Typosquatting attack spotted targeting NPM

Attackers have been using lowercase letters in package names on the Node Package Manager (NPM) registry for potential malicious package impersonation. This deceptive tactic presents a dangerous twist on a well-known attack method -- "Typosquatting."

https://checkmarx.com/blog/a-new-stealthier-type-of-typosquatting-attack-spotted-targeting-npm/

AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability

Owners of Ruckus access points (APs) have been warned that a DDoS botnet named AndoryuBot has been exploiting a recently patched vulnerability to hack devices. The vulnerability in question is tracked as CVE-2023-25717 and it was patched by Ruckus in February in many of its wireless APs.

https://www.securityweek.com/andoryubot-ddos-botnet-exploiting-ruckus-ap-vulnerability/

Building Automation System Exploit Brings KNX Security Back in Spotlight

A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks.

https://www.securityweek.com/building-automation-system-exploit-brings-knx-security-back-in-spotlight/

Buchen Sie Ihre Unterkunft nicht über booked.net oder hotel-mix.de

Sie suchen eine Unterkunft? Buchen Sie lieber nicht auf booked.net oder hotel-mix.de, denn die beiden Buchungsplattformen listen Unterkünfte, die keinen Vertrag mit der Plattform haben. In der gebuchten Unterkunft angekommen, kann es Ihnen passieren, dass die Betreiber:innen gar nichts von Ihrer Buchung wissen und Sie kurzfristig eine neue Schlafmöglichkeit suchen müssen.

https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-ueber-bookednet-oder-hotel-mixde/

New phishing-as-a-service tool -Greatness- already seen in the wild

A previously unreported phishing-as-a-service (PaaS) offering named -Greatness- has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.

https://blog.talosintelligence.com/new-phishing-as-a-service-tool-greatness-already-seen-in-the-wild/

Vulnerabilities

WordPress Plugin "Newsletter" vulnerable to cross-site scripting

WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability (CWE-79). An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin.

https://jvn.jp/en/jp/JVN59341308/

WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" vulnerable to cross-site scripting

* An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-27923, CVE-2023-28367 * An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2023-27925, CVE-2023-27926

https://jvn.jp/en/jp/JVN95792402/

Security updates for Tuesday

Security updates have been issued by Fedora (java-11-openjdk-portable and rubygem-redcarpet), Red Hat (autotrace, bind, buildah, butane, conmon, containernetworking-plugins, curl, device-mapper-multipath, dhcp, edk2, emacs, fence-agents, freeradius, freerdp, frr, fwupd, gdk-pixbuf2, git, git-lfs, golang-github-cpuguy83-md2man, grafana, grafana-pcp, gstreamer1-plugins-good, Image Builder, jackson, kernel, kernel-rt, krb5, libarchive, libguestfs-winsupport, libreswan, libtiff, libtpms, lua, mysql, net-snmp, openssh, openssl, pcs, php:8.1, pki-core, podman, poppler, postgresql-jdbc, python-mako, qemu-kvm, samba, skopeo, sysstat, tigervnc, toolbox, unbound, webkit2gtk3, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (cfengine, cfengine-masterfiles, go1.19, go1.20, libfastjson, python-cryptography, and python-ujson), and Ubuntu (mysql-5.7).

https://lwn.net/Articles/931384/

Citrix ADC and Citrix Gateway Security Bulletin

* CVE-2023-24488, Cross site scripting, CVSS 6.1 * CVE-2023-24487, Arbitrary file read, CVSS 6.3

https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488

SSA-932528 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge

https://cert-portal.siemens.com/productcert/html/ssa-932528.html

SSA-892048 V1.0: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1

https://cert-portal.siemens.com/productcert/html/ssa-892048.html

SSA-789345 V1.0: Code Execution Vulnerabilities in Siveillance Video Event and Management Servers

https://cert-portal.siemens.com/productcert/html/ssa-789345.html

SSA-555292 V1.0: Security Vulnerabilities Fixed in SIMATIC Cloud Connect 7 V2.1

https://cert-portal.siemens.com/productcert/html/ssa-555292.html

SSA-516174 V1.0: Wi-Fi Encryption Bypass Vulnerabilities in SCALANCE W1750D

https://cert-portal.siemens.com/productcert/html/ssa-516174.html

SSA-325383 V1.0: Multiple Vulnerabilities in SCALANCE LPE9403 before V2.1

https://cert-portal.siemens.com/productcert/html/ssa-325383.html

F5: K000133759 : Python vulnerability CVE-2020-26116

https://my.f5.com/manage/s/article/K000133759

F5: K000134496 : Jettison vulnerability CVE-2022-45685

https://my.f5.com/manage/s/article/K000134496

Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9.

https://www.ibm.com/support/pages/node/6988953

Tensorflow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/6988959

IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966)

https://www.ibm.com/support/pages/node/6986333

TensorFlow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/6988979

Ansi-html is vulnerable to CVE-2021-23424 used in IBM Maximo Application Suite

https://www.ibm.com/support/pages/node/6988981

Node-forge is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/6988969

Apache Log4j is vulnerable to CVE-2021-45105 and CVE-2021-45046 used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/6988975

Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter

https://www.ibm.com/support/pages/node/888295

IBM Cloud Pak for Network Automation 2.4.6 fixes multiple security vulnerabilities

https://www.ibm.com/support/pages/node/6989099

CVE-2023-24536, CVE-2023-24537 and CVE-2023-24534 may affect IBM CICS TX Standard

https://www.ibm.com/support/pages/node/6989115

CVE-2023-24536, CVE-2023-24537, CVE-2023-24534 may affect IBM CICS TX Advanced

https://www.ibm.com/support/pages/node/6989117

A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2022-39161)

https://www.ibm.com/support/pages/node/6989119

WebSphere Application Server Liberty is vulnerable to CVE-2022-3509 and CVE-2022-3171 used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/6989133

IBM WebSphere Application Server Liberty and Open Liberty is vulnerable to CVE-2022-22475 used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/6989131

IBM WebSphere Application Server Liberty is vulnerable to CVE-2022-22393 used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/6989127

A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2022-39161)

https://www.ibm.com/support/pages/node/6989145