End-of-Day report
Timeframe: Montag 23-12-2024 18:00 - Freitag 27-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Cybersecurity firms Chrome extension hijacked to steal users data
One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store. Among Cyberhaven's customers are Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis. [..] Cyberhaven's internal security team removed the malicious package within an hour since its detection, the company says in an email to its customers.
https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-extension-hijacked-to-steal-users-data/
Microsoft warnt: Bug könnte Security-Updates verhindern
Microsoft warnt Nutzer, die ihr System vor Kurzem via CD oder USB-Stick installiert haben. Konkret geht es um Installationsmedien, die das Sicherheitsupdate vom Oktober oder das vom November inkludiert haben. Hier kann es passieren, dass diese Systeme keine weiteren Updates mehr erhalten, wenn sie derzeit auf 24H2 sind.
https://futurezone.at/produkte/microsoft-warnung-bug-security-updates-windows-11-2024h2/402992486
Datenschutzverletzung: Volkwagen-Bewegungsprofile von 800.000 E-Autos offengelegt
Persönliche Daten und Bewegungsprofile von rund 800.000 VW-E-Auto-Besitzern lagen monatelang öffentlich zugänglich in der Cloud.
https://www.golem.de/news/datenschutzverletzung-volkwagen-bewegungsprofile-von-800-000-e-autos-offengelegt-2412-192000.html
Threat landscape for industrial automation systems in Q3 2024
The ICS CERT quarterly report covers threat landscape for industrial automation systems in Q3 2024.
https://securelist.com/ics-cert-q3-2024-report/115182/
More SSH Fun!, (Tue, Dec 24th)
A few days ago, I wrote a diary about a link file that abused the ssh.exe tool present in modern versions of Microsoft Windows. At the end, I mentioned that I will hunt for more SSH-related files/scripts. Guess what? I already found another one.
https://isc.sans.edu/diary/rss/31542
Jahresrückblick: Diese Themen beschäftigten uns 2024!
Wir sagen -DANKE- und blicken noch einmal zurück auf die Entwicklungen und Geschehnisse des vergangenen Jahres.
https://www.watchlist-internet.at/news/jahresrueckblick-2024/
ASUS: "Weihnachtsüberraschung" mit christmas.exe schief gegangen
Anbieter ASUS wollte seine Benutzer überraschen und hat diesen eine besondere Weihnachtskarte mit dem Dateinamen christmas.exe zukommen lassen. Ist natürlich seit Jahren bekannt, dass man aus Sicherheitsgründen keine .exe-Grußkarte mit Weihnachtsgrüßen verschickt.
https://www.borncity.com/blog/2024/12/26/asus-weihnachtsueberraschung-mit-christmas-exe-schief-gegangen/
PMKID Attacks: Debunking the 802.11r Myth
This article addresses common misconceptions surrounding PMKID-based attacks while offering technical insights into their mechanics and effective countermeasures. The PMKID-based attack, first disclosed in 2018 by the Hashcat team, introduced a novel method of compromising WPA2-protected Wi-Fi networks. Unlike traditional techniques, this approach does not require capturing a full 4-way handshake, instead leveraging a design flaw in the Pairwise Master Key Identifier (PMKID).
https://www.nccgroup.com/us/research-blog/pmkid-attacks-debunking-the-80211r-myth/
From Arbitrary File Write to RCE in Restricted Rails apps
Introduction Recently, we came across a situation where we needed to exploit an arbitrary file write vulnerability in a Rails application running in a restricted environment. The application was deployed via a Dockerfile that imposed...O post From Arbitrary File Write to RCE in Restricted Rails apps apareceu primeiro em Conviso AppSec.
https://blog.convisoappsec.com/en/from-arbitrary-file-write-to-rce-in-restricted-rails-apps/
Vulnerabilities
Palo Alto: CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet (Severity: HIGH)
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
https://security.paloaltonetworks.com/CVE-2024-3393
Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks
The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions. The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024.
https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html
Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS - Patch Now
The Apache Software Foundation (ASF) has shipped security updates to address a critical security flaw in Traffic Control that, if successfully exploited, could allow an attacker to execute arbitrary Structured Query Language (SQL) commands in the database. The SQL injection vulnerability, tracked as CVE-2024-45387, is rated 9.9 out of 10.0 on the CVSS scoring system.
https://thehackernews.com/2024/12/critical-sql-injection-vulnerability-in.html
Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization
The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions. Tracked as CVE-2024-52046, the vulnerability carries a CVSS score of 10.0.
https://thehackernews.com/2024/12/apache-mina-cve-2024-52046-cvss-100.html
Adobe warns of critical ColdFusion bug with PoC exploit code
Adobe has released out-of-band security updates to address a critical ColdFusion vulnerability with proof-of-concept exploit code. In an advisory released on Monday, the company says the flaw (tracked as CVE-2024-53961) is caused by a path traversal weakness that impacts Adobe ColdFusion versions-2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers.
https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-bug-with-poc-exploit-code/
Security updates for Tuesday
Security updates have been issued by AlmaLinux (containernetworking-plugins, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile:1.0.31, mpg123:1.32.9, pam, php:8.1, php:8.2, python3.11, python3.11-urllib3, python3.12, python3.9:3.9.21, skopeo, and unbound:1.16.2), Debian (intel-microcode), Fedora (python3-docs and python3.12), Mageia (emacs), Red Hat (podman), and SUSE (gdb, govulncheck-vulndb, libparaview5_12, mozjs115, mozjs78, and vhostmd).
https://lwn.net/Articles/1003381/
Security updates for Wednesday
Security updates have been issued by Fedora (sympa and tomcat), Red Hat (kernel), and SUSE (poppler).
https://lwn.net/Articles/1003462/
Security updates for Thursday
Security updates have been issued by Debian (fastnetmon, webkit2gtk, and xen), Fedora (sympa), Oracle (postgresql), and Red Hat (pcp, tigervnc, and xorg-x11-server and xorg-x11-server-Xwayland).
https://lwn.net/Articles/1003542/
Security updates for Friday
Security updates have been issued by Debian (node-postcss), Fedora (age, dr_libs, incus, libxml2, moodle, and python-sql), and SUSE (poppler and python-grpcio).
https://lwn.net/Articles/1003601/