[CERT-daily] Tageszusammenfassung - Donnerstag 19-02-2015

Thu Feb 19 18:09:29 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 18-02-2015 18:00 − Donnerstag 19-02-2015 18:00
Handler:     Robert Waldner
Co-Handler:  Alexander Riepl


*** SA-CONTRIB-2015-052 - RESTful Web Services - Access Bypass ***
---------------------------------------------
This module enables you to expose Drupal entities as RESTful web services. It provides a machine-readable interface to exchange resources in JSON, XML and RDF. The RESTWS Basic Auth submodule doesn't sufficiently disable page caching for ...
---------------------------------------------
https://www.drupal.org/node/2428863


*** SA-CONTRIB-2015-048 - Avatar Uploader - Arbitrary PHP code execution ***
---------------------------------------------
Avatar Uploader module provides an alternative way to upload user pictures. The module doesn't sufficiently enforce file extensions when an avatar is uploaded, allowing users to bypass Drupal's normal file upload protections to ..
---------------------------------------------
https://www.drupal.org/node/2428793


*** Multiple vulnerabilities in Cisco products ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0623
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0626
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0622


*** BIND: A Problem with Trust Anchor Management Can Cause named to Crash ***
---------------------------------------------
BIND servers which are configured to perform DNSSEC validation and which are using managed-keys (which occurs implicitly when using "dnssec-validation auto;" or "dnssec-lookaside auto;") may terminate with an assertion failure when .
---------------------------------------------
https://kb.isc.org/article/AA-01235/0


*** OWASP AppSensor - implement real-time intrusion detection within in your software ***
---------------------------------------------
Free, open source, DevOps friendly and cloud compatible AppSensor provides real-time application-layer attack detection and response.
---------------------------------------------
https://www.owasp.org/images/8/8e/Appsensor_intro_for_developers.pdf


*** Lenovo-Laptops durch Superfish-Adware angreifbar ***
---------------------------------------------
Eine Adware namens Superfish wird offenbar schon seit mehreren Monaten auf Laptops von Lenovo ausgeliefert. Diese fügt Werbung in fremde Webseiten ein und installiert dafür ein Root-Zertifikat - eine riesige Sicherheitslücke.
---------------------------------------------
http://www.golem.de/news/adware-lenovo-laptops-durch-superfish-adware-angreifbar-1502-112460.html


*** Macros? Really?! ***
---------------------------------------------
.. macro-based malware is now making a "successful" comeback. Last week, we saw a significant Dridex malware run that was using macros in Excel files (.XLSM), and earlier this week, the crooks behind the banking spyware "Vawtraq" started to spam the usual "Fedex Package" and "Tax Refund" emails, ..
---------------------------------------------
https://isc.sans.edu/diary/Macros%3F+Really%3F!/19349


*** Automating Removal of Java Obfuscation ***
---------------------------------------------
In this post we detail a method to improve analysis of Java code for a particular obfuscator, we document the process that was followed and demonstrate the results of automating our method. Obscurity will not stop an attacker and once the method is known, methodology can be developed to automate the process.
---------------------------------------------
http://www.contextis.com/resources/blog/automating-removal-java-obfuscation/


*** IETF: RC4 in TLS offiziell nicht mehr erlaubt ***
---------------------------------------------
Die RC4-Verschlüsselung darf laut dem neuen RFC 7465 nicht mehr für TLS-Verbindungen genutzt werden. Der Algorithmus gilt schon lange als problematisch, Details über neue Angriffe sollen in Kürze veröffentlicht werden. 
---------------------------------------------
http://www.golem.de/news/ietf-rc4-in-tls-offiziell-nicht-mehr-erlaubt-1502-112469.html


*** Cross-Site Tracing (XST): The misunderstood vulnerability ***
---------------------------------------------
Alas, the 'XS' in XST evokes similarity to XSS (Cross-Site Scripting) which has the consequence of leading people to mistake XST as a method for injecting JavaScript. (Thankfully, character encoding attacks have avoided the term Cross-Site Unicode, XSU.) Although XST attacks rely on browser scripting ..
---------------------------------------------
http://deadliestwebattacks.com/2010/05/18/cross-site-tracing-xst-the-misunderstood-vulnerability/


*** Duplicator 0.5.8 - Privilege Escalation ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7799


*** Technology doping: Competitive advantage by abusing security flaws in smart sports equipment ***
---------------------------------------------
The term 'Technology doping' has recently been used [1] to mean the practice of gaining a competitive advantage through using sports equipment e.g. The LZR Racer bodysuit [2] that was used by many of the swimmers during the Beijing Olympics, resulting in world records being broken. Shortly afterwards, FINA (Federation Internationale de Natation), the international ..
---------------------------------------------
https://www.nccgroup.com/en/blog/2015/02/technology-doping-competitive-advantage-by-abusing-security-flaws-in-smart-sports-equipment/


*** l+f: Geklonte SSH-Schlüssel sind böse ***
---------------------------------------------
Tausende von Geräten im Netz verwenden ein und den selben SSH-Schlüssel. Das birgt Gefahren.
---------------------------------------------
http://heise.de/-2555229


*** Erpressungs-Software im Aufstieg: Wenn Daten zur Geisel werden ***
---------------------------------------------
Immer mehr Kriminelle setzen auf "Ransomware", um Lösegeld zu erpressen. Ihr nächstes Ziel: Mobiltelefone.
---------------------------------------------
http://derstandard.at/2000011389615