[CERT-daily] Tageszusammenfassung - Montag 23-03-2015

Mon Mar 23 18:14:44 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 20-03-2015 18:00 − Montag 23-03-2015 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Apple: Those security holes we fixed last week? Youre going to need to repatch ***
---------------------------------------------
Turns out those bugs werent quite squished Apple has released a follow-up to last weeks security update after finding a pair of flaws that are still vulnerable on patched systems.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/03/20/apple_remember_those_security_holes_we_fixed_last_week_yeah_youre_going_to_need_to_patch_them_again/


*** Drupal Compromise Analysis Including Indicators of Compromise ***
---------------------------------------------
I would like to thank fellow SpiderLabs Researcher Chaim Sanders and Dennis Wilson, Bryant Smith and Casey Critchfield for their help with gathering data and analyzing this attack. Analysis of a real Drupal compromise In this blog post, we will...
---------------------------------------------
https://www.trustwave.com/Resources/SpiderLabs-Blog/Drupal-Compromise-Analysis-Including-Indicators-of-Compromise/


*** Operation Woolen Goldfish, a hacking campaign in the wild ***
---------------------------------------------
Security experts at Trend micro uncovered a new hacking campaign dubbed Operation Woolen Goldfish likely run by a threat actor group known as Rocket Kitten. Security experts at Trend Micro have uncovered a new cyber espionage campaign that is targeting a number of European organisations and businesses. The attackers run a spear phishing campaign that...
---------------------------------------------
http://securityaffairs.co/wordpress/35128/cyber-crime/operation-woolen-goldfish.html


*** PoSeidon the most sophisticated PoS malware until now ***
---------------------------------------------
Cisco Security Team has spotted in the wild a new Point-of-Sale malware dubbed PoSeidon that is more sophisticated than previously detected PoS malware. Expert at Cisco have discovered a new Point-of-Sale (PoS) malware dubbed PoSeidon. The experts have discovered many similarities with the popular Zeus Trojan and use sophisticated methods to find card data respect other POS malware like BlackPoS, which was used...
---------------------------------------------
http://securityaffairs.co/wordpress/35181/cyber-crime/poseidon-pos-malware.html


*** CREEPS rejoice: Small biz Cisco phones open to eavesdrop 0-day ***
---------------------------------------------
Open phones may crop up on Shodan Creeps can listen in to conversations placed over vulnerable Cisco small business phones.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/03/23/creeps_rejoice_small_biz_phones_open_to_evaesdrop_0day/


*** New Dridex malware evades detection with AutoClose function ***
---------------------------------------------
Security experts at Proofpoint have discovered a new phishing campaign that exploits a Dridex variant that evades detection with AutoClose function. Criminal crews behind the Dridex banking malware are very prolific and are improving the popular malicious code. Recently we have discussed about a Dridex variant which was spread through phishing messages with Microsoft Office documents embedding malicious macros. The attackers exploited social engineering technique to lure...
---------------------------------------------
http://securityaffairs.co/wordpress/35197/cyber-crime/new-dridex-malware.html


*** Adobe CVE-2011-2461 Remains Exploitable Four Years After Patch ***
---------------------------------------------
A Flash vulnerability that Adobe patched four years ago actually remains exploitable according to a presentation given by a pair of researchers at the TROOPERS security conference.
---------------------------------------------
http://threatpost.com/adobe-cve-2011-2461-remains-exploitable-four-years-after-patch/111754


*** Watch for updated router firmware!, (Mon, Mar 23rd) ***
---------------------------------------------
With the OpenSSL updates this week I am sure you are all diligently testing and deploying to all your vulnerable servers. Something you may not have though of is that most SOHO routers run some kind of *nix variant and will most likely make use of OpenSSL. Be sure to watch for new firmware for those devices as well.  On Friday I chatted to two of the larger manufacturers and neither had any timeline for deploying new firmware containing the OpenSSL patches and both said to watch for
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19497&rss


*** BIOS-Rootkit LightEater: In den dunklen Ecken abseits des Betriebssystems ***
---------------------------------------------
Ein Rootkit, das unabhängig vom Betriebssystem operiert, sämtlichen Speicher auslesen kann und durch den Tausch der Festplatte im System nicht gestoppt wird - was klingt wie eine IT-Gruselgeschichte haben zwei Forscher nun öffentlich präsentiert.
---------------------------------------------
http://heise.de/-2582782


*** VU#631788: Multiple BIOS implementations permit unsafe SMM function calls to memory locations outside of SMRAM ***
---------------------------------------------
Vulnerability Note VU#631788 Multiple BIOS implementations permit unsafe SMM function calls to memory locations outside of SMRAM Original Release date: 20 Mar 2015 | Last revised: 20 Mar 2015   Overview Multiple BIOS implementations permit unsafe System Management Mode (SMM) function calls to memory locations outside of SMRAM.  Description Multiple BIOS implementations permit unsafe System Management Mode (SMM) function calls to memory locations outside of SMRAM. According to Corey Kallenberg
---------------------------------------------
http://www.kb.cert.org/vuls/id/631788


*** Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products ***
---------------------------------------------
cisco-sa-20150320-openssl
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl


*** DSA-3199 xerces-c - security update ***
---------------------------------------------
Anton Rager and Jonathan Brossard from the Salesforce.com ProductSecurity Team and Ben Laurie of Google discovered a denial of servicevulnerability in xerces-c, a validating XML parser library for C++. Theparser mishandles certain kinds of malformed input documents, resultingin a segmentation fault during a parse operation. An unauthenticatedattacker could use this flaw to cause an application using thexerces-c library to crash.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3199


*** DSA-3202 mono - security update ***
---------------------------------------------
Researchers at INRIA and Xamarin discovered several vulnerabilities inmono, a platform for running and developing applications based on theECMA/ISO Standards. Monos TLS stack contained several problems thathampered its capabilities: those issues could lead to clientimpersonation (via SKIP-TLS), SSLv2 fallback, and encryption weakening(via FREAK).
---------------------------------------------
https://www.debian.org/security/2015/dsa-3202


*** Bugtraq: FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED] ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534943


*** Xen Project 4.4.2 ***
---------------------------------------------
We are pleased to announce the release of Xen 4.4.2. This is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.4 (tag RELEASE-4.4.2) or from this download page This fixes the following critical vulnerabilities:...
---------------------------------------------
http://www.xenproject.org/downloads/xen-archives/xen-44-series/xen-442.html


*** Xen Project 4.3.4 ***
---------------------------------------------
We are pleased to announce the release of Xen 4.3.4. This is available immediately from its git repository http://xenbits.xen.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.3 (tag RELEASE-4.3.4) or from this page. Note that this is expected to be the last release of the 4.3 stable series. The tree will be switched to security only maintenance mode after this release. This fixes the following critical vulnerabilities:...
---------------------------------------------
http://www.xenproject.org/downloads/xen-archives/xen-43-series/xen-434.html


*** SA-CONTRIB-2015-066 - Tracking Code - Cross Site Request Forgery (CSRF) ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2015-066Project: Tracking Code (third-party module)Version: 7.xDate: 2015-March-04Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site Request ForgeryDescriptionTracking Code module allows you to create tracking code snippets and control their visibility.The module doesnt sufficiently protect some URLs against CSRF. A malicious user can cause an administrator to disable tracking codes by getting
---------------------------------------------
https://www.drupal.org/node/2445961


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Sterling Connect:Enterprise for UNIX (CVE-2014-3569, CVE-2015-0204, CVE-2014-3570, CVE-2014-3572, CVE-2014-8275) ***
http://www.ibm.com/support/docview.wss?uid=swg21699211

*** IBM Security Bulletin: TLS padding vulnerability affects IBM API Management (CVE-2014-8730) ***
http://www.ibm.com/support/docview.wss?uid=swg21699160

*** IBM Security Bulletin: IBM Content Collector affected by vulnerability in IBM Dojo Toolkit (CVE-2014-8917) ***
http://www.ibm.com/support/docview.wss?uid=swg21694603

*** IBM Security Bulletin: Multiple security vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2014-3566, CVE-2014-6457) ***
http://www.ibm.com/support/docview.wss?uid=swg21698748

*** IBM Security Bulletin: XML External Entity Processing in Castor might affect IBM Business Process Manager (CVE-2014-3004) ***
http://www.ibm.com/support/docview.wss?uid=swg21690565

*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Tivoli Storage Productivity Center July 2014 CPU ***
http://www.ibm.com/support/docview.wss?uid=swg21695005

*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for ACH Services, Check Services and Corporate Payment Services (CVE-2014-6593, CVE-2015-0410) ***
http://www.ibm.com/support/docview.wss?uid=swg21698702

*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2014-3566, CVE-2014-6457, CVE-2014-6593, CVE-2015-0410) ***
http://www.ibm.com/support/docview.wss?uid=swg21699032

*** IBM Security Bulletin: IBM Forms Viewer can crash based on an embedded PNG image (CVE-2014-9495, CVE-2015-0973) ***
http://www.ibm.com/support/docview.wss?uid=swg21697791