SysAdmin 24x7

CVE-2022-26500 | CVE-2022-26501 KB ID: 4288 Product: Veeam Backup & Replication | 9.5 | 10 | 11 Published: 2022-03-12 Last Modified: 2022-03-15 Challenge Multiple vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. Severity: Critical - score: 9.8 Cause The Veeam Distribution Service (TCP 9380 by default) allows unauthenticated users to access internal API functions. A remote attacker may send input to the internal API which may lead to uploading and executing of malicious code. https://www.veeam.com/kb4288

Múltiples vulnerabilidades en Apache HTTP Server Fecha de publicación: 15/03/2022 Importancia: 4 - Alta Recursos afectados: Apache HTTP Server, versión 2.4.52 y anteriores. Descripción: Se han publicado cuatro vulnerabilidades en Apache HTTP Server, que podrían permitir a un atacante leer en una zona de memoria aleatoria, realizar contrabando de solicitudes (request smuggling) HTTP, hacer una escritura fuera de límites o sobrescribir la memoria de la pila. Solución: Actualizar a Apache HTTP Server 2.4.53. https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-apache-http-server-1

Microsoft is testing ads in the Windows 11 File Explorer Microsoft has begun testing promotions for some of its other products in the File Explorer app on devices running its latest Windows 11 Insider build. https://www.bleepingcomputer.com/news/microsoft/microsoft-is-testing-ads-in-the-windows-11-file-explorer/

High-Severity Vulnerabilities Patched in Omron PLC Programming Software. Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron. https://www.securityweek.com/high-severity-vulnerabilities-patched-omron-plc-programming-software

Verificación insuficiente de la autenticidad de los datos en Syltek Fecha de publicación: 14/03/2022 Importancia: 4 - Alta Recursos afectados: Syltek, versiones anteriores a la 10.22.00. Descripción: INCIBE ha coordinado la publicación de una vulnerabilidad en la aplicación Syltek, con el código interno INCIBE-2022-0648, que ha sido descubierta por Enrique Benvenutto Navarro. A esta vulnerabilidad se le ha asignado el código CVE-2021-4031. Se ha calculado una puntuación base CVSS v3.1 de 7,5, siendo el cálculo del CVSS el siguiente: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. Solución: Esta vulnerabilidad ha sido resuelta por el equipo de Playtomic, en la versión 10.22.00, publicada el 02/12/2021. https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/verificacion-insuficiente-autenticidad-los-datos-syltek

Desde el Incibe se alerta de estas vulnerabilidades ya publicadas en este canal de manera específica que afectan a plataforma Exchange, los parches son del día 8 de marzo. Ponen especial énfasis en: [Actualización 14/03/2022] Dado que se ha observado un aumento de los ataques contra Microsoft Exchange, se aconseja aplicar el parche lo antes posible para solucionar la vulnerabilidad CVE-2022-23277. https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizaciones-seguridad-microsoft-marzo-2022

Actualización de seguridad 5.9.2 para WordPress Fecha de publicación: 14/03/2022 Importancia: 4 - Alta Recursos afectados: WordPress, versiones anteriores a 5.9.2. Descripción: Se ha publicado la última versión de WordPress, que contiene 3 correcciones de seguridad. Solución: Actualizar a la versión 5.9.2 desde WordPress.org o desde el panel de control (Updates > Update Now). https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/actualizacion-seguridad-592-wordpress

Release Information for Veeam Backup & Replication 10a Cumulative Patch P20220304 KB ID: 4291 Product: Veeam Backup & Replication | 10 Published: 2022-03-12 Last Modified: 2022-03-13 Resolved Issues Vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam Distribution Service were fixed (vulnerabilities reported by Positive Technologies). Vulnerability (CVE-2022-26504) in Veeam.Backup.PSManager was fixed. Vulnerability (CVE-2022-26503) in Veeam Agent for Microsoft Windows was fixed (vulnerability reported by Positive Technologies). https://www.veeam.com/kb4291

Múltiples vulnerabilidades en Xen Fecha de publicación: 11/03/2022 Importancia: 4 - Alta Recursos afectados: Varios frontends de dispositivos Linux PV: blkfront, netfront, scsifront, usbfront, dmabuf, xenbus, 9p, kbdfront, pvcalls, driver gntalloc. Descripción: Demi Marie Obenour y Simon Gaiser, de Invisible Things Lab, han reportado múltiples vulnerabilidades presentes en algunos frontends de dispositivos Linux PV, debidas a que estos no eliminan adecuadamente los derechos de acceso de los backends, lo que podría permitir a un atacante la fuga de datos, la corrupción de datos o la denegación de servicio. https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/multiples-vulnerabilidades-xen-5

Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of. You’ve probably heard of the Conti ransomware group. After their 2020 emergence, they’ve accumulated at least 700 victims, where by “victims” we mean ‘big fish’ corporations with millions of dollars in revenue; unlike your average neighborhood ransomware operation, Conti never cared for extorting your mother-in-law for her vacation photos. For a while, Conti was the face of ransomware, along with fellow gang REvil – until this February, when 14 REvil operatives were arrested by the Russian authorities, leaving Conti effectively alone in its position as a major league ransomware operation. https://research.checkpoint.com/2022/leaks-of-conti-ransomware-group-paint-picture-of-a-surprisingly-normal-tech-start-up-sort-of/

Raccoon Stealer: “Trash panda” abuses Telegram We recently came across a stealer, called Raccoon Stealer, a name given to it by its author. Raccoon Stealer uses the Telegram infrastructure to store and update actual C&C addresses. https://decoded.avast.io/vladimirmartyanov/raccoon-stealer-trash-panda-abuses-telegram/

New Nokoyawa Ransomware Possibly Related to Hive In March 2022, we came across evidence that another, relatively unknown, ransomware known as Nokoyawa is likely connected with Hive, as the two families share some striking similarities in their attack chain, from the tools used to the order in which they execute various steps. https://www.trendmicro.com/en_us/research/22/c/nokoyawa-ransomware-possibly-related-to-hive-.html

TLStorm Three critical vulnerabilities discovered in APC Smart-UPS devices can allow attackers to remotely manipulate the power of millions of enterprise devices. https://www.armis.com/research/tlstorm/

SAP Releases March 2022 Security Updates SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. https://www.cisa.gov/uscert/ncas/current-activity/2022/03/08/sap-releases-march-2022-security-updates

Microsoft Security Update Summary for March Critical Security Updates ============================ Microsoft Exchange Server 2013 Cumulative Update 23 Microsoft Exchange Server 2016 Cumulative Update 21 Microsoft Exchange Server 2016 Cumulative Update 22 Microsoft Exchange Server 2019 Cumulative Update 10 Microsoft Exchange Server 2019 Cumulative Update 11 HEVC Video Extension HEVC Video Extensions VP9 Video Extensions https://msrc.microsoft.com/update-guide/

New Supply Chain Vulnerabilities Impact Medical and IoT Devices. https://www.forescout.com/blog/access-7-vulnerabilities-impact-supply-chain-component-in-medical-and-iot-device-models/

Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device. Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device. https://blog.talosintelligence.com/2022/03/deep-dive-vulnerabilities-in-zte-router.html

Divulgación de información sensible en phpMyAdmin Fecha de publicación: 08/03/2022 Importancia: 3 - Media Recursos afectados: PhpMyAdmin, versión 5.1.1 y anteriores. Descripción: INCIBE ha coordinado la publicación de una vulnerabilidad en phpMyAdmin, con el código interno INCIBE-2022-0636, que ha sido descubierta por Rafael Pedrero. A esta vulnerabilidad se le ha asignado el código CVE-2022-0813. Se ha calculado una puntuación base CVSS v3.1 de 5,3, siendo el cálculo del CVSS el siguiente: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. https://www.incibe-cert.es/alerta-temprana/avisos-seguridad/divulgacion-informacion-sensible-phpmyadmin

New Linux bug gives root on all major distros, exploit released. This is the story of CVE-2022-0847, a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102. https://dirtypipe.cm4all.com/