[CERT-daily] Tageszusammenfassung - Montag 6-10-2014

Mon Oct 6 18:22:56 CEST 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 03-10-2014 18:00 − Montag 06-10-2014 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** CSAM: The Power of Virustotal to Turn Harmless Binaries Malicious, (Fri, Oct 3rd) ***
---------------------------------------------
We all know that anti virus, the necessary evil of basic computer security, isnt a stranger to false positives. So no big surprise here when John is writing that he ran into such a false positive during an incident response:  I was scanning a forensic drive image with clamav and scored a positive hit on a file.  Great. ClamAV, a free anti-virus product. Of course, we dont trust it. So John did what most of use would have done, and submitted the suspect binary to Virustotal:  Virustotal showed...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18759&rss


*** Detecting irregular programs and services installed in your network, (Sun, Oct 5th) ***
---------------------------------------------
When the corporate network becomes target, auditing for security policy compliance can be challenging if you dont have a software controlling irregular usage of administrator privilege granted and being used to install unauthorized software or to change configuration by installing services that could cause an interruption in network service. Examples of this possible issues are additional DHCP Servers (IPv4 and IPv6), Dropbox, Spotify or ARP scanning devices. We can use nmap to detect all...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18763&rss


*** Testing for opened ports with firewalk technique, (Sat, Oct 4th) ***
---------------------------------------------
There is an interesting way of knowing what kind of filters are placed in the gateway of a specific host. It is called firewalk and it is based on IP TTL expiration. The algorithm goes as follows:  The entire route is determined using any of the traceroute techniques available A packet is sent with the TTL equal to the distance to the target If the packet times out, it is resent with the TTL equal to the distance to the target minus one. If an ICMP type 11 code 0 (Time-to-Live exceeded) is...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18761&rss


*** Shellshock-like Weakness May Affect Windows ***
---------------------------------------------
A weakness in Windows, similar to Shellshock, may put Windows Server deployments at risk to remote code execution.
---------------------------------------------
http://threatpost.com/shellshock-like-weakness-may-affect-windows/108696


*** Bugzilla Zero-Day Exposes Zero-Day Bugs ***
---------------------------------------------
A previously unknown security flaw in Bugzilla -- a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions -- allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.
---------------------------------------------
http://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/


*** Apple anti-malware update blocks new iWorm Mac botnet ***
---------------------------------------------
Apple has updated its malware blacklisting system, known as XProtect, to block a Mac attack thought to have infected over 18,500 Macs.
---------------------------------------------
http://www.zdnet.com/apple-anti-malware-update-blocks-new-iworm-mac-botnet-7000034364/


*** Using the Windows 10 Technical Preview? Microsoft might be watching your every move to help with feedback ***
---------------------------------------------
One of the main goals with the Windows 10 Technical Preview is for Microsoft to collect feedback to help shape the final version of the operating system, which is said to be coming sometime in summer 2015. The Technical Preview requires users to register with the Windows Insider Program, which allows users to submit their own feedback about the operating system... but is Microsoft collecting more than what you think youre submitting?
---------------------------------------------
http://www.winbeta.org/news/using-windows-10-technical-preview-microsoft-might-be-watching-your-every-move-help-feedback


*** SEO poisoning attacks still impacting legitimate websites ***
---------------------------------------------
After recently helping a client rid their website of SEO spam, security company Sucuri detailed how SEO poisoning attacks are still impacting legitimate websites.
---------------------------------------------
http://www.scmagazine.com/attackers-use-seo-spam-to-improve-the-rankings-of-their-websites-on-google-and-other-search-engines/article/375339/


*** Uni boffins: Accurate Android AV app outperforms most rivals ***
---------------------------------------------
...Dont sweat, VXers, its STILL no use against obfuscated kit German researchers have built an Android app capable of detecting 94 percent of malware quick enough to run on mobile devices they say bests current offerings in effectiveness and description.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/10/06/uni_bods_say_accurate_android_av_app_blasts_rivals/


*** Bugtraq: BulletProof Security Wordpress v50.8 - POST Inject Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533611


*** Bugtraq: CVE-2014-7277 Stored Server XSS in ZyXEL SBG-3300 Security Gateway ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533609


*** Bugtraq: CVE-2014-7278 DoS in ZyXEL SBG-3300 Security Gateway ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533610


*** Cisco IOS XR Software Compression ACL Bypass Vulnerability ***
---------------------------------------------
CVE-2014-3396
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3396


*** Cisco WebEx Meetings Server Password Disclosure Vulnerability ***
---------------------------------------------
CVE-2014-3400
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3400


*** Cisco ASA Software Version Information Disclosure ***
---------------------------------------------
CVE-2014-3398
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3398


*** Cisco ASA Software SharePoint RAMFS Integrity and Lua Injection Vulnerability ***
---------------------------------------------
CVE-2014-3399
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3399


*** IBM Security Bulletins: Vulnerabilities in Bash affect various Products ***
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_ibm_worklight_quality_assurance_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_ds8000_hmc_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_vulnerabilities_in_bash_affect_power_hardware_management_console_cve_2014_6271_cve_2014_7169_cve_2014_7186_cve_2014_7187_cve_2014_6277_cve_2014_6278?lang=en_us


*** Identity Assurance Solution Client (IASC) 3.1 Hotfix 2 ***
---------------------------------------------
Abstract: This is an update to the shipping release of the Identity Assurance Solution Client (IASC) 3.1 also known as the Novell Enhanced Smart Card Method (NESCM). The IASC client 3.1 is a standalone method that provides smart card-based authentication for eDirectory. This Hotfix has been provided to address the following security vulnerabilities found in OpenSSL & CLDAP SDK: CVE-2014-0224 & CVE-2014-3508 (Bug 893314 / 892895) Files: NTLS.DLL, LDAPSSL.DLL Filename:...
---------------------------------------------
https://download.novell.com/Download?buildid=s6M5LsksoOA~


*** Linux Kernel Seed Initialization Flaw Reduces Randomness in Certain Values and May Make TCP Sequence Numbers More Predictable ***
---------------------------------------------
http://www.securitytracker.com/id/1030959


*** VMSA-2014-0010.7 ***
---------------------------------------------
VMware product updates address critical Bash security vulnerabilities
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2014-0010.html


*** DSA-3046 mediawiki ***
---------------------------------------------
security update
---------------------------------------------
http://www.debian.org/security/2014/dsa-3046


*** Bugtraq: [SECURITY] [DSA 3044-1] qemu-kvm security update ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533619


*** Bugtraq: [SECURITY] [DSA 3045-1] qemu security update ***
---------------------------------------------
[SECURITY] [DSA 3045-1] qemu security update
---------------------------------------------
http://www.securityfocus.com/archive/1/533621


*** SSA-860967 (Last Update 2014-10-06): GNU Bash Vulnerabilities in Siemens Industrial Products ***
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-860967.pdf


*** [remote] - OpenVPN 2.2.29 - ShellShock Exploit ***
---------------------------------------------
http://www.exploit-db.com/exploits/34879