[CERT-daily] Tageszusammenfassung - Montag 12-05-2014

Mon May 12 18:22:32 CEST 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 09-05-2014 18:00 − Montag 12-05-2014 18:00
Handler:     Alexander Riepl
Co-Handler:  Robert Waldner

*** Collabtive folder SQL injection ***
---------------------------------------------
Collabtive is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the managefile.php script using the folder parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/93029


*** Cobbler kickstart value file include ***
---------------------------------------------
Cobbler could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL request using the Kickstart value when creating new profiles, to specify a malicious file from the local system, which could allow the attacker to obtain sensitive information or execute arbitrary code on the vulnerable Web server.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/93033


*** Bitcoin Miner Utilizing IRC Worm ***
---------------------------------------------
Bitcoin miners have given a new reason for attackers to communicate en mass with infected users. IRC worms are not exactly the most hip way to communicate, but they remain effective at sending and receiving commands. I recently came across several samples which bit coin mining examples leveraging IRC. The malicious binary, once installed, queries for the network shares connected to the
---------------------------------------------
http://feedproxy.google.com/~r/zscaler/research/~3/2xQ7VPxF-ms/bitcoin-miner-utilizing-irc-worm.html


*** strongSwan Null Pointer Dereference in Processing ID_DER_ASN1_DN ID Payloads Lets Remote Users Deny Service ***
---------------------------------------------
A vulnerability was reported in strongSwan. A remote user can cause denial of service conditions.
A remote user can send a specially crafted ID_DER_ASN1_DN ID payload to trigger a null pointer dereference and cause the target IKE service to crash.
---------------------------------------------
http://www.securitytracker.com/id/1030209


*** G Data: Symantecs "Ende der Antivirensoftware" verunsichert Nutzer ***
---------------------------------------------
Nicht verunsichern lassen und weiter Antivirensoftware kaufen - so lautet ein Aufruf von G Data. Symantec hatte zuvor erklärt, dass nur noch durchschnittlich 45 Prozent aller Angriffe von Antivirensoftware erkannt werden.
---------------------------------------------
http://www.golem.de/news/g-data-symantecs-ende-der-antivirensoftware-verunsichert-nutzer-1405-106381-rss.html


*** Drupal Flag 7.x-3.5 Command Execution ***
---------------------------------------------
Topic: Drupal Flag 7.x-3.5 Command Execution Risk: High Text:Drupal Flag 7.x-3.5 Module Vulnerability Report Author: Ubani Anthony Balogun  Reported: May 07, 2014 ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014050054


*** Nach Heartbleed: Neues Zertifikat, alter Key ***
---------------------------------------------
Nach dem Heartbleed-Bug haben viele Administratoren Zertifikate für TLS-Verbindungen ausgetauscht. Viele haben dabei jedoch einen fatalen Fehler begangen: Sie erstellten zwar ein neues Zertifikat, aber keinen neuen Schlüssel. (Technologie, Applikationen)
---------------------------------------------
http://www.golem.de/news/nach-heartbleed-neues-zertifikat-alter-key-1405-106384-rss.html


*** Backdoor Xtrat Continues to Evade Detection ***
---------------------------------------------
While reviewing recent reports scanned by ZULU, we came across a malicious report that drew our attention. It was notable as the final redirection downloaded ZIP content by accessing a PHP file on the domain www.stisanic.com. URL: hxxp://www[.]stisanic[.]com/wp-content/coblackberrycomnotasdevozdate07052014[.]php ZULUs virustotal check scored the file as higher risk. At the time 10
---------------------------------------------
http://feedproxy.google.com/~r/zscaler/research/~3/OqS4L1x6ebQ/backdoor-xtrat-continues-to-evade.html


*** Link-shortening service Bit.ly suffers data breach ***
---------------------------------------------
We have reason to believe that Bitly account credentials have been compromised; specifically, users' email addresses, encrypted passwords, API keys and OAuth tokens. We have no indication at this time that any accounts have been accessed without permission. We have taken steps to ensure the security of all accounts, including disconnecting all users' Facebook and Twitter accounts. All users can safely reconnect these accounts at their next login.
---------------------------------------------
http://blog.bitly.com/post/85169217199/urgent-security-update-regarding-your-bitly-account


*** Falsche Zertifikate unterwandern HTTPS-Verbindungen ***
---------------------------------------------
Forscher sprechen von signifikantem Teil der verschlüsselten Kommunikation - Vor allem Firewalls und Antivirensoftware verantwortlich
---------------------------------------------
http://derstandard.at/1399507237936


*** Linux-Kernel: Root-Rechte für Nutzer ***
---------------------------------------------
Durch einen Fehler im Linux-Kernel kann ein einfacher Nutzer Root-Rechte erlangen. Bekannt ist der Fehler schon seit gut einer Woche, aber jetzt gibt es einen öffentlichen Exploit.
---------------------------------------------
http://www.golem.de/news/linux-kernel-root-rechte-fuer-nutzer-1405-106407-rss.html


*** Race Condition in the Linux kernel ***
---------------------------------------------
The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.
---------------------------------------------
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0196


*** Unbekannte bieten 33 Millionen E-Mail-Adressen feil ***
---------------------------------------------
Das könnte die nächste Spam-Welle auslösen: Unbekannte bieten per E-Mail mehrere Millionen Mailadressen von deutschen Providern zum Kauf an. Angeblich handelt es sich um 100 Prozent gültige Adressen.
---------------------------------------------
http://www.heise.de/security/meldung/Unbekannte-bieten-33-Millionen-E-Mail-Adressen-feil-2187395.html


*** HPSBST03038 rev.1 - HP H-series Fibre Channel Switches, Remote Disclosure of Information ***
---------------------------------------------
A potential security vulnerability has been identified with certain HP H-series Fibre Channel Switches. This vulnerability could be exploited remotely to disclose information.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04277407


*** Bugtraq: ESA-2014-027: RSA NetWitness and RSA Security Analytics Authentication Bypass Vulnerability ***
---------------------------------------------
RSA NetWitness and RSA Security Analytics each contain a security fix for an authentication bypass vulnerability that could potentially be exploited to compromise the affected system. When PAM for Kerberos is enabled, an attacker can authenticate to the vulnerable system with a valid user name and without specifying a password. This issue does not affect other authentication methods.
---------------------------------------------
http://www.securityfocus.com/archive/1/532077