[CERT-daily] Tageszusammenfassung - Freitag 13-02-2015

Fri Feb 13 18:03:08 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 12-02-2015 18:00 − Freitag 13-02-2015 18:00
Handler:     Robert Waldner
Co-Handler:  Alexander Riepl


*** Open-Xchange Access Control Flaw Lets Remote Authenticated Users Access Restricted Files ***
---------------------------------------------
A vulnerability was reported in Open-Xchange. A remote authenticated user can access certain files on the target system.
A remote authenticated user with access to publications can access shared files without permission to access them.
---------------------------------------------
http://www.securitytracker.com/id/1031744


*** Security Advisory-Information Leakage Vulnerability in Huawei P7 Smartphone ***
---------------------------------------------
MeWidget is a plug-in of Huawei Emotion UI. The MeWidget module on Huawei smartphone P7 has a vulnerability that could lead to the disclosure of contact information. Attackers can obtain the name and URI information of mobile phone users through the malware installed on the smartphones.
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-414289.htm


*** Apple: Zwei-Faktor-Schutz für iMessage und FaceTime ***
---------------------------------------------
Apple bietet ab sofort die Zwei-Faktor-Authentifizierung auch für seine Dienste FaceTime und iMessage an. Dieses schützt das Konto mit einem zweiten Passwort.
---------------------------------------------
http://futurezone.at/digital-life/apple-zwei-faktor-schutz-fuer-imessage-und-facetime/113.633.802


*** NetGear WNDR Authentication Bypass / Information Disclosure ***
---------------------------------------------
.. viewing and setting of certain router parameters, such as: WLAN credentials and SSIDs. Connected clients. Guest WLAN credentials and SSIDs. Parental control settings. ... As this SOAP service is called via the built-in HTTP / CGI daemon, unauthenticated queries will be answered from the WAN if remote management has been enabled on the device. As a result, affected devices can be interrogated and hijacked with as little as a well placed HTTP query.
---------------------------------------------
https://github.com/darkarnium/secpub/blob/master/NetGear/SOAPWNDR/README.md


*** vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities ***
---------------------------------------------
Vulnerable Versions: 5.1.3, 5.0.5, 4.2.2, 3.8.7, 3.6.7, 3.6.0, 3.5.4 
Vulnerability Details: vBulletin has a security problem. It can be exploited by XSS attacks. The vulnerability occurs at "forum/help" page. Add "hash symbol" first. Then add script at the end of it.
CVE Reference: CVE-2014-9469
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
---------------------------------------------
http://securityrelated.blogspot.co.at/2015/02/cve-2014-9469-vbulletin-xss-cross-site.html


*** Netatmo Weather Station Sends WPA Passwords In the Clear ***
---------------------------------------------
UnderAttack writes The SANS Internet Storm Center is writing that Netatmo weather stations will send the users WPA password in the clear back to Netatmo. Netatmo states that this is some forgotten debug code that was left in the device. Overall, the device doesnt bother with encryption, but sends all data, not just the password, in the clear. 
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-VdGyumpxjY/story01.htm


*** Windows Exploit Mitigation Technology - Part 1 ***
---------------------------------------------
The spree of exploits on Windows has led to the creation of a certain type of exploit protection mechanism on Windows. Protection from things like buffer overflow, heap overwrite and return originated exploits have been deployed on Windows compilers and OS. 
---------------------------------------------
http://resources.infosecinstitute.com/windows-exploit-mitigation-technology-part-1/