//Week in review - 22 Jul 2022


Yesterday saw the majority of Australia and New Zealand Microsoft users impacted by the Microsoft Teams outage, AusCERT included. It is being reported that the outage was caused by "a recent deployment [that] contained a broken connection to an internal storage service".

We hope this gave users the chance to celebrate National Lamington Day. The humble lamington has been a part of the Australian tradition since the 1800s. Yet, the lamington is another dessert that has its origins disputed, much like the pavlova.

Car hacking is not just for the movies anymore, but came closer to reality this week with the discovery of the unpatched bug in the MiCODUS GPS device. The vulnerability can allow attackers to restrict fuel intake, monitor the location of vehicles and even stop the vehicles. Currently, there is no patch that can be applied to mitigate this bug.

Cisco Patches Severe Vulnerabilities in Nexus Dashboard
Date: 2022-07-21
Author: Security Week

Cisco on Wednesday announced the availability of patches for multiple vulnerabilities in Nexus Dashboard, including a critical-severity issue that could lead to the execution of arbitrary commands.
The Nexus Dashboard is a data center management console that provides administrators and operators with quick access to required resources across services and applications.
The most severe of the newly resolved vulnerabilities affecting the console is CVE-2022-20857 (CVSS score of 9.8), which could allow a remote, unauthenticated attacker to access a specific API and execute arbitrary commands.

Hacker Abusing Windows NFS Remote Code Execution Flaw
Date: 2022-07-20
Author: Cyware

The vulnerability, tracked as CVE-2022-30136, was patched in June, however, the report provided more detailed information about potential exploitation.
The flaw is contained within Windows NFS and occurs due to improper handling of NFSv4 requests.
It could be abused by sending malicious RPC calls to a target server.
Further, successful exploitation could result in arbitrary code execution as SYSTEM. On the other side, unsuccessful exploitation could even crash the system.

Microsoft Teams outage widens to take out M365 services, admin center
Date: 2022-07-21
Author: The Register

Microsoft acknowledged the issue at 01:47 UTC on July 21 and offered the following update around 75 minutes later.
The outage appears to be global, but Microsoft is perhaps a little fortunate that the incident struck when the working day was all but over in the US, and in the dark of the European night. Most of the reaction The Register can find is therefore from the Asia-Pacific region, where businesses such as an Australian horse-racing organization have been disrupted.

LDAP Account Manager bug poses unauthenticated remote code execution risk
Date: 2022-07-19
Author: Portswigger

An unauthenticated arbitrary object instantiation vulnerability in LDAP Account Manager (LAM) has been discovered during an internal penetration test.
LAM is a PHP web application for managing entries such as users, groups, or DHCP settings in LDAP directories via a web frontend, and is one of the alternatives to FreeIPA. It’s included in Debian repositories.
But a vulnerability discovered by researcher Arseniy Sharoglazov could allow an attacker to create arbitrary objects and achieve remote code execution (RCE) in one request, and without any out-of-band connections.

Critical flaws in GPS tracker enable “disastrous” and “life-threatening” hacks
Date: 2022-07-20
Author: Ars Technica

A security firm and the US government are advising the public to immediately stop using a popular GPS tracking device or to at least minimize exposure to it, citing a host of vulnerabilities that make it possible for hackers to remotely disable cars while they’re moving, track location histories, disarm alarms, and cut off fuel.

Log4j vulnerabilities remain 'endemic', says US DHS
Date: 2022-07-18
Author: iTnews

The US Department of Homeland security has warned that the world is likely to be dealing with the fallout from the Log4j vulnerability for a decade or more.
Log4j – also known as Log4shell – is a critical vulnerability in a Java logging library that can be used for remote code execution and to gain full control over millions of vulnerable enterprise systems.

COVID-19 lockdowns see rise in bank and credit-card fraud as more people work and shop from home
Date: 2022-07-18
Author: ABC News

One in nine Australians have been victims of personal fraud, with card fraud the most common type due to more people banking and shopping online because of COVID-19.
Card fraud is when criminals get a hold of your banking or credit-card details to illegally access your account and steal money.
The Australian Bureau of Statistics said 11 per cent of Australians, or more than 2 million people, were victims of personal fraud in 2020-21, compared to 8.5 per cent in 2014-15.

Westpac arms itself for cryptocurrency tilt – Finance – Software
Date: 2022-07-20
Author: IT News

Westpac has given a clear indication of its intent to enter the cryptocurrency and blockchain space, having previously been tight-lipped as to its ambitions.
The bank posted an open call for a principal architect for digital assets and cryptocurrency in recent weeks, from which it is clear that Westpac wants to set itself up as a leader in what is is collectively calling “digital assets”.

ESB-2022.3563 – Apple Watch Series 3: CVSS (Max): 5.5*

Apple released security updates to fix vulnerabilities impacting Apple Watch. Users should upgrade their devices by installing watchOS 8.7.

ESB-2022.3559 – macOS Monterey 12.5: CVSS (Max): 7.5*

Apple addressed several arbitrary code execution flaws impacting Neural Engine, GPU Drivers, ImageIO, ICU, and Kernel. Users should upgrade their devices by installing macOS Monterey 12.5

ESB-2022.3553 – Safari 15.6: CVSS (Max): None

Apple fixed arbitrary code execution issue that was addressed with the release of Safari 15.6: An out-of-bounds write issue was addressed with improved
input validation. Safari 15.6 may be obtained from the Mac App Store

ESB-2022.3522 – MiCODUS MV720 GPS tracker: CVSS (Max): 9.8

Exploitation of several vulnerabilities could allow an attacker control over any MV720 GPS tracker, granting access to location, routes, fuel cutoff commands, and the disarming of various features (e.g., alarms). MiCODUS has not provided updates or patches to mitigate these vulnerabilities.

ESB-2022.3574 – Questions For Confluence: CVSS (Max): None

An external party has discovered and publicly disclosed a hardcoded password for Questions for Confluence on Twitter. This issue is likely to be exploited in the wild now that the hardcoded password is publicly known. This vulnerability should be remediated on affected systems immediately.

Stay safe, stay patched and have a good weekend!

The AusCERT team