[CERT-daily] Tageszusammenfassung - Donnerstag 18-12-2014

Thu Dec 18 18:22:55 CET 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 17-12-2014 18:00 − Donnerstag 18-12-2014 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Is the polkit Grinch Going to Steal your Christmas?, (Wed, Dec 17th) ***
---------------------------------------------
Alert Logic published a widely publizised blog outlining a common configuration problem with Polkit. To help with dissemination, Alert Logic named the vulnerability Grinch [1] . In some ways, this isnt so much a vulnerability, as more a common overlypermissive configuration of many Linux systems. It could easily be leveraged to escalate privileges beyond the intent of the polkitconfiguration. Lets first step back: In the beginning, there was sudo. Sudo served the Unix community well for many...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19077&rss


*** Application Threat and Usage Report 2014 ***
---------------------------------------------
The Application Usage And Threat Report provides an analysis of applications and their link to cyber threats within the enterprise. The report summarizes network traffic assessments performed wor...
---------------------------------------------
http://www.net-security.org/secworld.php?id=17609


*** Erfolgreicher Angriff auf Internet-Verwaltung ICANN ***
---------------------------------------------
U.a. wurde ein zentrales System, das zur Organisation bei der Einführung der neuen Top Level Domains dient, bei einem Angriff auf die ICANN kompromittiert. Die ICANN dient als Oberaufsicht über die Verwaltung von Netz-Ressourcen wie DNS und IP-Adressen.
---------------------------------------------
http://www.heise.de/security/meldung/Erfolgreicher-Angriff-auf-Internet-Verwaltung-ICANN-2499609.html


*** Your Browser is (not) Locked ***
---------------------------------------------
Most ransomware has a binary file that needs to be executed before it can infect your PC. Ransomware usually relies on social engineering or exploits to infect unsuspecting users. However, some malware authors are bypassing this requirement with a new trick - browser lockers. Unlike traditional ransomware threats that lock the entire desktop, browser lockers only lock the web browser of an infected PC. Most other malware needs a user (or other malware) to manually run it. Browser lockers...
---------------------------------------------
http://blogs.technet.com/b/mmpc/archive/2014/12/17/your-browser-is-not-locked.aspx


*** Chthonic: a New Modification of ZeuS ***
---------------------------------------------
In the fall of 2014, we discovered a new banking Trojan, which caught our attention for two reasons...
---------------------------------------------
http://securelist.com/blog/virus-watch/68176/chthonic-a-new-modification-of-zeus/


*** Ars Technica readers urged to change passwords in wake of hack ***
---------------------------------------------
In case you havent heard already, Ars Technica got hacked over the weekend, so if you are a subscribed reader now would be a good time to change your password. "At 20:00 CT on December 14, an Inte...
---------------------------------------------
http://www.net-security.org/secworld.php?id=17768


*** PhpBB-Webserver geknackt, Zugangsdaten kopiert ***
---------------------------------------------
Die PhpBB-Server wurden kompromittiert und sind momentan offline. Die Angreifer haben es geschafft, den Foren-Zugang eines Administrators zu kapern.
---------------------------------------------
http://www.heise.de/security/meldung/PhpBB-Webserver-geknackt-Zugangsdaten-kopiert-2499688.html


*** Android Hacking and Security, Part 17: Cracking Android App Binaries ***
---------------------------------------------
In this article, we will see how a developer can perform basic checks to programmatically detect if the app is running on an emulator and stop executing the app if an emulator is detected. We will then see how an attacker can easily bypass these checks by using some freely...
---------------------------------------------
http://resources.infosecinstitute.com/android-hacking-security-part-17-cracking-android-app-binaries/


*** Alina POS malware "sparks" off a new variant ***
---------------------------------------------
Alina is a well-documented family of malware used to scrape Credit Card (CC) data from Point of Sale (POS) software. We published a series of in-depth write-ups on the capabilities Alina possesses as well as the progression of the versions. Xylitol has a nice write-up on the Command and Control (C&C) aspects of Alina. In this blog post I'd like to discuss a variant that first cropped up in late 2013 and has been seen in the wild as recent as a month ago. Some anti-virus companies have
---------------------------------------------
http://blog.spiderlabs.com/2014/12/alina-pos-malware-sparks-off-a-new-variant.html


*** Patch-Debakel: Microsoft bessert bei IE-Update nach ***
---------------------------------------------
Die Serie an verbockten Patches scheint nicht abzureissen. Jetzt muss Microsoft bei einem Update für den Internet Explorer nachbessern, nachdem IE-11-Nutzer über Probleme mit Dialogboxen auf Webseiten geklagt hatten.
---------------------------------------------
http://www.heise.de/security/meldung/Patch-Debakel-Microsoft-bessert-bei-IE-Update-nach-2500284.html


*** Exploit Kit Evolution During 2014 - Nuclear Pack, (Thu, Dec 18th) ***
---------------------------------------------
This is a guest diary submitted by Brad Duncan. Nuclear exploit kit (also known as Nuclear Pack) has been around for years. Version 2.0 of Nuclear Pack was reported in 2012 [1] [2]. Blogs like malware.dontneedcoffee.com have mentioned version 3.0 of Nuclear Pack in posts during 2013 [3] [4]. This month, Nuclear Pack changed its traffic patterns. The changes are significant enough that I wonder if Nuclear Pack is at version 4. Or is this merely an evolution of version 3, as weve seen throughout
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19081&rss


*** VU#843044: Multiple Dell iDRAC IPMI v1.5 implementations use insufficiently random session ID values ***
---------------------------------------------
Vulnerability Note VU#843044 Multiple Dell iDRAC IPMI v1.5 implementations use insufficiently random session ID values Original Release date: 18 Dec 2014 | Last revised: 18 Dec 2014   Overview The Intelligent Platform Management Interface (IPMI) v1.5 implementations in multiple Dell iDRAC releases are vulnerable to arbitrary command injection due to use of insufficiently random session ID values.  Description CWE-330: Use of Insufficiently Random Values - CVE-2014-8272The IPMI v1.5...
---------------------------------------------
http://www.kb.cert.org/vuls/id/843044


*** Cisco IronPort ESA Subject Header Length Denial of Service Vulnerability ***
---------------------------------------------
CVE-2014-8016
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8016


*** Cisco Adaptive Security Appliance DOM Cross-Site Scripting Vulnerability in WebVPN Portal ***
---------------------------------------------
CVE-2014-8012
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8012


*** Cisco IOS XR Software Malformed RSVP Packet Denial of Service Vulnerability ***
---------------------------------------------
CVE-2014-8014
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-8014


*** Cross-Site Scripting vulnerability in wfGallery (wf_gallery) ***
---------------------------------------------
It has been discovered that the extension "wfGallery" (wf_gallery) is susceptible to Cross-Site Scripting.
---------------------------------------------
http://www.typo3.org/news/article/cross-site-scripting-vulnerability-in-wfgallery-wf-gallery/


*** SA-CONTRIB-2014-128 - Organic Groups Menu - Access bypass ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-128Project: OG Menu (third-party module)Version: 6.x, 7.xDate: 2014-December-17Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypass, Information DisclosureDescriptionThis module enables you to associate menus with Organic Groups (OG). It allows you to create one or more menus per group, configure and apply menu permissions in a group context, add/edit menu links directly from the entity...
---------------------------------------------
https://www.drupal.org/node/2395049


*** SA-CONTRIB-2014-127 - School Administration - Cross Site Scripting (XSS) ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-127Project: School Administration (third-party module)Version: 7.xDate: 2014-December-17Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescriptionSchool Administration module enables you to keep records of all students and staff. With inner modules, it aims to be a complete school administration system.The module failed to sanitize some node titles in messages, leading to a...
---------------------------------------------
https://www.drupal.org/node/2395015


*** SA-CONTRIB-2014-126 - Open Atrium - Multiple vulnerabilities ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2014-126Project: Open Atrium (third-party module)Version: 7.xDate: 2014-12-17Security risk: 13/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Access bypass, Cross Site Request Forgery, Multiple vulnerabilitiesDescriptionThis distribution enables you to create an intranet.Several of the sub modules included do not prevent CSRF on several menu callbacks.Open Atrium Discussion also does not exit correctly after...
---------------------------------------------
https://www.drupal.org/node/2394979


*** Novell NetIQ Access Manager 4.0 Support Pack 1 Hot Fix 3 4.0.1-132 ***
---------------------------------------------
Abstract: NetIQ Access Manager 4.0 Support Pack 1 Hot Fix 3 build (version4.0.1-132). This file contains updates for services contained in the NetIQ Access Manager 4.0 product and requires 4.0 SP1 to be installed as a minimum. NetIQ recommends that all customers running Access Manager 4.0 release code apply this patch.  The purpose of the patch is to provide a bundle of fixes for issues that have surfaced since NetIQ Access Manager 4.0 SP1 was released. These fixes include updates to the Access...
---------------------------------------------
https://download.novell.com/Download?buildid=i7RBltaqcVw~


*** [2014-12-18] Multiple critical vulnerabilities in VDG Security SENSE (formerly DIVA) ***
---------------------------------------------
Attackers are able to fully compromise the VDG Sense video management system by gaining highest system level access rights as multiple critical vulnerabilities exist.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-0_VDG_Security_SENSE_Multiple_critical_vulnerabilities_v10.txt


*** [2014-12-18] OS command execution vulnerability in GParted ***
---------------------------------------------
GParted does not properly sanitize strings before passing them as parameters to an OS command. Under certain conditions an attacker is able to execute system commands as user "root" by tricking a victim into using GParted to e.g. format a USB drive.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-1_GParted_command_execution_v10.txt


*** [2014-12-18] Multiple high risk vulnerabilities in NetIQ Access Manager ***
---------------------------------------------
A vulnerability in the NetIQ Access Manager allows an authenticated attacker to read local files. Moreover, several web based issues (CSRF, persistent and non-persistent XSS) allow an attacker to hijack the session of an administrator or user. An information disclosure vulnerability allows an attacker to gather internal information including service passwords.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-2_Novell_NetIQ_Access_Manager_Multiple_Vulnerabilities_v10.txt