New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?
CVE-2022-0492 Public on 7 de febrero de 2022
https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
CVE-2022-0492 Public on 7 de febrero de 2022
https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
Unit 42
New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape?
CVE-2022-0492 is the third recent kernel vulnerability that allows malicious containers to escape. We offer root cause analysis and mitigations.
Malware now using stolen NVIDIA code signing certificates
Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows.
This week, NVIDIA confirmed that they suffered a cyberattack that allowed threat actors to steal employee credentials and proprietary data.
The extortion group, known as Lapsus$, states that they stole 1TB of data during the attack and began leaking the data online
https://www.bleepingcomputer.com/news/security/malware-now-using-stolen-nvidia-code-signing-certificates/
Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows.
This week, NVIDIA confirmed that they suffered a cyberattack that allowed threat actors to steal employee credentials and proprietary data.
The extortion group, known as Lapsus$, states that they stole 1TB of data during the attack and began leaking the data online
https://www.bleepingcomputer.com/news/security/malware-now-using-stolen-nvidia-code-signing-certificates/
Múltiples vulnerabilidades en productos de Asterisk
Fecha de publicación: 07/03/2022
Importancia: 5 - Crítica
Recursos afectados:
Asterisk Open Source:
versiones 16.x;
versiones 18.x;
versiones 19.x.
Certified Asterisk: versiones 16.x.
Descripción:
Asterisk ha publicado 3 vulnerabilidades: 2 de severidad crítica y 1 media, por las que un atacante podría ejecutar código arbitrario o realizar una denegación de servicio o un acceso a la memoria fuera de límites.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-productos-asterisk
Fecha de publicación: 07/03/2022
Importancia: 5 - Crítica
Recursos afectados:
Asterisk Open Source:
versiones 16.x;
versiones 18.x;
versiones 19.x.
Certified Asterisk: versiones 16.x.
Descripción:
Asterisk ha publicado 3 vulnerabilidades: 2 de severidad crítica y 1 media, por las que un atacante podría ejecutar código arbitrario o realizar una denegación de servicio o un acceso a la memoria fuera de límites.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-productos-asterisk
INCIBE-CERT
Múltiples vulnerabilidades en productos de Asterisk
Asterisk ha publicado 3 vulnerabilidades: 2 de severidad crítica y 1 media, por las que un atacante podría ejecutar código arbitrario o realizar una denegación de servicio o un acceso a la memoria
AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service.
https://orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability/
https://orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability/
Orca Security
AutoWarp: Azure Automation Vulnerability | Orca Research Pod
AutoWarp is a critical vulnerability in Microsoft Azure Automation Service that allows unauthorized access to other customer accounts using the service.
New Linux bug gives root on all major distros, exploit released.
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit.
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
https://dirtypipe.cm4all.com/
This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit.
The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.
https://dirtypipe.cm4all.com/
Divulgación de información sensible en phpMyAdmin
Fecha de publicación: 08/03/2022
Importancia: 3 - Media
Recursos afectados:
PhpMyAdmin, versión 5.1.1 y anteriores.
Descripción:
INCIBE ha coordinado la publicación de una vulnerabilidad en phpMyAdmin, con el código interno INCIBE-2022-0636, que ha sido descubierta por Rafael Pedrero.
A esta vulnerabilidad se le ha asignado el código CVE-2022-0813. Se ha calculado una puntuación base CVSS v3.1 de 5,3, siendo el cálculo del CVSS el siguiente: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/divulgacion-informacion-sensible-phpmyadmin
Fecha de publicación: 08/03/2022
Importancia: 3 - Media
Recursos afectados:
PhpMyAdmin, versión 5.1.1 y anteriores.
Descripción:
INCIBE ha coordinado la publicación de una vulnerabilidad en phpMyAdmin, con el código interno INCIBE-2022-0636, que ha sido descubierta por Rafael Pedrero.
A esta vulnerabilidad se le ha asignado el código CVE-2022-0813. Se ha calculado una puntuación base CVSS v3.1 de 5,3, siendo el cálculo del CVSS el siguiente: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/divulgacion-informacion-sensible-phpmyadmin
INCIBE-CERT
Divulgación de información sensible en phpMyAdmin
INCIBE ha coordinado la publicación de una vulnerabilidad en phpMyAdmin, con el código interno INCIBE-2022-0636, que ha sido descubierta por Rafael Pedrero. A esta vulnerabilidad se le ha asignado el
Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device.
Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device.
https://blog.talosintelligence.com/2022/03/deep-dive-vulnerabilities-in-zte-router.html
Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device.
https://blog.talosintelligence.com/2022/03/deep-dive-vulnerabilities-in-zte-router.html
Cisco Talos Blog
Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device
Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities…
New Supply Chain Vulnerabilities Impact Medical and IoT Devices.
https://www.forescout.com/blog/access-7-vulnerabilities-impact-supply-chain-component-in-medical-and-iot-device-models/
https://www.forescout.com/blog/access-7-vulnerabilities-impact-supply-chain-component-in-medical-and-iot-device-models/
Forescout
New Supply Chain Vulnerabilities Impact Medical and IoT Devices - Forescout
Forescout’s Vedere Labs, in partnership with CyberMDX, have discovered a set of seven new vulnerabilities affecting PTC’s Axeda agent, which we are collectively calling Access:7. Three of the vulnerabilities were rated critical by CISA, as they could enable…
Microsoft Security Update Summary for March
Critical Security Updates
============================
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 21
Microsoft Exchange Server 2016 Cumulative Update 22
Microsoft Exchange Server 2019 Cumulative Update 10
Microsoft Exchange Server 2019 Cumulative Update 11
HEVC Video Extension
HEVC Video Extensions
VP9 Video Extensions
https://msrc.microsoft.com/update-guide/
Critical Security Updates
============================
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 21
Microsoft Exchange Server 2016 Cumulative Update 22
Microsoft Exchange Server 2019 Cumulative Update 10
Microsoft Exchange Server 2019 Cumulative Update 11
HEVC Video Extension
HEVC Video Extensions
VP9 Video Extensions
https://msrc.microsoft.com/update-guide/
SAP Releases March 2022 Security Updates
SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.
https://www.cisa.gov/uscert/ncas/current-activity/2022/03/08/sap-releases-march-2022-security-updates
SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.
https://www.cisa.gov/uscert/ncas/current-activity/2022/03/08/sap-releases-march-2022-security-updates
www.cisa.gov
SAP Releases March 2022 Security Updates | CISA
SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the SAP Security Notes…
TLStorm
Three critical vulnerabilities discovered in APC Smart-UPS devices can allow attackers to remotely manipulate the power of millions of enterprise devices.
https://www.armis.com/research/tlstorm/
Three critical vulnerabilities discovered in APC Smart-UPS devices can allow attackers to remotely manipulate the power of millions of enterprise devices.
https://www.armis.com/research/tlstorm/
Armis
TLStorm
Vulnerabilities discovered in APC Smart-UPS devices can expose organizations to remote attack. Explore Armis research on TLStorm.
New Nokoyawa Ransomware Possibly Related to Hive
In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps.
https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html
In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps.
https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html
Trend Micro
New Nokoyawa Ransomware Possibly Related to Hive
In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they…
Raccoon Stealer: “Trash panda” abuses Telegram
We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses.
https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/
We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses.
https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/
Avast Threat Labs
Raccoon Stealer: “Trash panda” abuses Telegram - Avast Threat Labs
We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses. Raccoon Stealer is a password stealer capable of stealing not just passwords…
Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of.
You’ve probably heard of the Conti ransomware group. After their 2020 emergence, they’ve accumulated at least 700 victims, where by “victims” we mean ‘big fish’ corporations with millions of dollars in revenue; unlike your average neighborhood ransomware operation, Conti never cared for extorting your mother-in-law for her vacation photos. For a while, Conti was the face of ransomware, along with fellow gang REvil – until this February, when 14 REvil operatives were arrested by the Russian authorities, leaving Conti effectively alone in its position as a major league ransomware operation.
https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/
You’ve probably heard of the Conti ransomware group. After their 2020 emergence, they’ve accumulated at least 700 victims, where by “victims” we mean ‘big fish’ corporations with millions of dollars in revenue; unlike your average neighborhood ransomware operation, Conti never cared for extorting your mother-in-law for her vacation photos. For a while, Conti was the face of ransomware, along with fellow gang REvil – until this February, when 14 REvil operatives were arrested by the Russian authorities, leaving Conti effectively alone in its position as a major league ransomware operation.
https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/
Check Point Research
Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up... Sort Of - Check Point Research
Introduction You’ve probably heard of the Conti ransomware group. After their 2020 emergence, they’ve accumulated at least 700 victims, where by “victims” we mean ‘big fish’ corporations with millions of dollars in revenue; unlike your average neighborhood…
Múltiples vulnerabilidades en Xen
Fecha de publicación: 11/03/2022
Importancia: 4 - Alta
Recursos afectados:
Varios frontends de dispositivos Linux PV:
blkfront,
netfront,
scsifront,
usbfront,
dmabuf,
xenbus,
9p,
kbdfront,
pvcalls,
driver gntalloc.
Descripción:
Demi Marie Obenour y Simon Gaiser, de Invisible Things Lab, han reportado múltiples vulnerabilidades presentes en algunos frontends de dispositivos Linux PV, debidas a que estos no eliminan adecuadamente los derechos de acceso de los backends, lo que podría permitir a un atacante la fuga de datos, la corrupción de datos o la denegación de servicio.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-xen-5
Fecha de publicación: 11/03/2022
Importancia: 4 - Alta
Recursos afectados:
Varios frontends de dispositivos Linux PV:
blkfront,
netfront,
scsifront,
usbfront,
dmabuf,
xenbus,
9p,
kbdfront,
pvcalls,
driver gntalloc.
Descripción:
Demi Marie Obenour y Simon Gaiser, de Invisible Things Lab, han reportado múltiples vulnerabilidades presentes en algunos frontends de dispositivos Linux PV, debidas a que estos no eliminan adecuadamente los derechos de acceso de los backends, lo que podría permitir a un atacante la fuga de datos, la corrupción de datos o la denegación de servicio.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-xen-5
INCIBE-CERT
Múltiples vulnerabilidades en Xen
Demi Marie Obenour y Simon Gaiser, de Invisible Things Lab, han reportado múltiples vulnerabilidades presentes en algunos frontends de dispositivos Linux PV, debidas a que estos no eliminan
Release Information for Veeam Backup & Replication 10a Cumulative Patch P20220304
KB ID: 4291
Product: Veeam Backup & Replication | 10
Published: 2022-03-12
Last Modified: 2022-03-13
Resolved Issues
Vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Distribution Service were fixed (vulnerabilities reported by Positive Technologies).
Vulnerability (CVE-2022-26504) in Veeam.Backup.PSManager was fixed.
Vulnerability (CVE-2022-26503) in Veeam Agent for Microsoft Windows was fixed (vulnerability reported by Positive Technologies).
https://www.veeam.com/kb4291
KB ID: 4291
Product: Veeam Backup & Replication | 10
Published: 2022-03-12
Last Modified: 2022-03-13
Resolved Issues
Vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Distribution Service were fixed (vulnerabilities reported by Positive Technologies).
Vulnerability (CVE-2022-26504) in Veeam.Backup.PSManager was fixed.
Vulnerability (CVE-2022-26503) in Veeam Agent for Microsoft Windows was fixed (vulnerability reported by Positive Technologies).
https://www.veeam.com/kb4291
Actualización de seguridad 5.9.2 para WordPress
Fecha de publicación: 14/03/2022
Importancia: 4 - Alta
Recursos afectados: WordPress, versiones anteriores a 5.9.2.
Descripción:
Se ha publicado la última versión de WordPress, que contiene 3 correcciones de seguridad.
Solución:
Actualizar a la versión 5.9.2 desde WordPress.org o desde el panel de control (Updates > Update Now).
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-592-wordpress
Fecha de publicación: 14/03/2022
Importancia: 4 - Alta
Recursos afectados: WordPress, versiones anteriores a 5.9.2.
Descripción:
Se ha publicado la última versión de WordPress, que contiene 3 correcciones de seguridad.
Solución:
Actualizar a la versión 5.9.2 desde WordPress.org o desde el panel de control (Updates > Update Now).
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-592-wordpress
SysAdmin 24x7
Microsoft Security Update Summary for March Critical Security Updates ============================ Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft Exchange Server 2016 Cumulative Update 21 Microsoft Exchange Server 2016 Cumulative Update 22…
Desde el Incibe se alerta de estas vulnerabilidades ya publicadas en este canal de manera específica que afectan a plataforma Exchange, los parches son del día 8 de marzo.
Ponen especial énfasis en:
[Actualización 14/03/2022] Dado que se ha observado un aumento de los ataques contra Microsoft Exchange, se aconseja aplicar el parche lo antes posible para solucionar la vulnerabilidad CVE-2022-23277.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizaciones-seguridad-microsoft-marzo-2022
Ponen especial énfasis en:
[Actualización 14/03/2022] Dado que se ha observado un aumento de los ataques contra Microsoft Exchange, se aconseja aplicar el parche lo antes posible para solucionar la vulnerabilidad CVE-2022-23277.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizaciones-seguridad-microsoft-marzo-2022
INCIBE-CERT
Actualizaciones de seguridad de Microsoft de marzo de 2022
Verificación insuficiente de la autenticidad de los datos en Syltek
Fecha de publicación: 14/03/2022
Importancia: 4 - Alta
Recursos afectados:
Syltek, versiones anteriores a la 10.22.00.
Descripción:
INCIBE ha coordinado la publicación de una vulnerabilidad en la aplicación Syltek, con el código interno INCIBE-2022-0648, que ha sido descubierta por Enrique Benvenutto Navarro.
A esta vulnerabilidad se le ha asignado el código CVE-2021-4031. Se ha calculado una puntuación base CVSS v3.1 de 7,5, siendo el cálculo del CVSS el siguiente: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.
Solución:
Esta vulnerabilidad ha sido resuelta por el equipo de Playtomic, en la versión 10.22.00, publicada el 02/12/2021.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/verificacion-insuficiente-autenticidad-los-datos-syltek
Fecha de publicación: 14/03/2022
Importancia: 4 - Alta
Recursos afectados:
Syltek, versiones anteriores a la 10.22.00.
Descripción:
INCIBE ha coordinado la publicación de una vulnerabilidad en la aplicación Syltek, con el código interno INCIBE-2022-0648, que ha sido descubierta por Enrique Benvenutto Navarro.
A esta vulnerabilidad se le ha asignado el código CVE-2021-4031. Se ha calculado una puntuación base CVSS v3.1 de 7,5, siendo el cálculo del CVSS el siguiente: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.
Solución:
Esta vulnerabilidad ha sido resuelta por el equipo de Playtomic, en la versión 10.22.00, publicada el 02/12/2021.
https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/verificacion-insuficiente-autenticidad-los-datos-syltek
INCIBE-CERT
Verificación insuficiente de la autenticidad de los datos en Syltek
INCIBE ha coordinado la publicación de una vulnerabilidad en la aplicación Syltek, con el código interno INCIBE-2022-0648, que ha sido descubierta por Enrique Benvenutto Navarro. A esta
High-Severity Vulnerabilities Patched in Omron PLC Programming Software.
Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron.
https://www.securityweek.com/high-severity-vulnerabilities-patched-omron-plc-programming-software
Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron.
https://www.securityweek.com/high-severity-vulnerabilities-patched-omron-plc-programming-software
Securityweek
High-Severity Vulnerabilities Patched in Omron PLC Programming Software | SecurityWeek.Com
Several high-severity vulnerabilities that can be exploited for arbitrary code execution have been patched in Omron’s CX-Programmer PLC programming software.