[CERT-daily] Tageszusammenfassung - Mittwoch 18-11-2015

Wed Nov 18 18:30:18 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 17-11-2015 18:00 − Mittwoch 18-11-2015 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Adobe releases out-of-band security patches - amazingly not for Flash ***
---------------------------------------------
ColdFusion, LiveCycle and Premiere get fixed ... Adobe says that it hasnt seen any evidence that these flaws are being exploited in the wild, but that users should patch anyway, just to be on the safe side - certainly before hackers reverse-engineer the updates and start abusing the bugs...
---------------------------------------------
http://www.theregister.co.uk/2015/11/17/adobe_releases_outofband_security_patches_amazingly_not_for_flash/


*** Introducing Chuckle and the importance of SMB signing ***
---------------------------------------------
Digital signing is a feature of SMB designed to allow a recipient to confirm the authenticity of SMB packets and to prevent tampering during transit - this feature was first made available back in Windows NT 4.0 Service Pack 3. By default, only domain controllers require packets to be signed and this default behavior is usually seen in most corporate networks.
---------------------------------------------
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/november/introducing-chuckle-and-the-importance-of-smb-signing/


*** Team Cymru: Free tools for incident response ***
---------------------------------------------
We at Team Cymru would like to be helpful to incident response vendors in implementing the USG's growing security strategy. To that end, we have identified a few of our free community resources (and one commercial service) that would be most useful to IR.
---------------------------------------------
https://blog.team-cymru.org/2015/11/free-tools-for-incident-response-and-a-word-from-the-us-government/


*** How two seconds become two days ***
---------------------------------------------
At 3:37PM PST, we had a power blip in one of our datacenters. In those two seconds, over 1,000 systems blinked offline. As a non-profit, we don't have all of those niceties such as hot-hot datacenters or those new fangled UPSes. Instead, we do it the old fashioned way, which means we are susceptible to...
---------------------------------------------
http://blog.shadowserver.org/2015/11/17/how-two-seconds-become-two-days/


*** A flaw in D-Link Switches opens corporate networks to hack ***
---------------------------------------------
A flaw in certain D-Link switches can be exploited by remote attackers to access configuration data and hack corporate networks. The independent security researcher Varang Amin and the chief architect at Elastica's Cloud Threat Labs Aditya Sood have discovered a vulnerability in the D-Link Switches belonging to the DGS-1210 Series Gigabit Smart Switches. The security experts revealed...
---------------------------------------------
http://securityaffairs.co/wordpress/42054/hacking/d-link-switches-flaw.html


*** Blast from the Past: Blackhole Exploit Kit Resurfaces in Live Attacks ***
---------------------------------------------
The year is 2015 and a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via compromised websites.Categories:  ExploitsTags: drive-by downloadsexploitexploit kitwebsite(Read more...)
---------------------------------------------
https://blog.malwarebytes.org/exploits-2/2015/11/blast-from-the-past-blackhole-exploit-kit-resurfaces-in-live-attacks/


*** Google VirusTotal - now with autoanalysis of OS X malware ***
---------------------------------------------
Google just announced that its virus classification and auto-analysis service, VirusTotal, is now officially interested in OS X malware.
---------------------------------------------
http://feedproxy.google.com/~r/nakedsecurity/~3/buCfkbvoJqQ/


*** Nishang: A Post-Exploitation Framework ***
---------------------------------------------
Introduction I was recently doing an external penetration test for one of our clients, where I got shell access to Windows Server 2012(Internal WebServer sitting behind an IPS) with Administrative Privileges. It also appears to have an Antivirus installed on the system as everything I was uploading on to the machine was being deleted on...
---------------------------------------------
http://resources.infosecinstitute.com/nishang-a-post-exploitation-framework/


*** 10 dumb security mistakes sys admins make ***
---------------------------------------------
Security isn't merely a technical problem -- its a people problem. There's only so much technology you can throw at a network before dumb human mistakes trip you up.But guess what? Those mistakes are often committed by the very people who should know better: system administrators and other IT staff.[ Also on InfoWorld: 10 security mistakes that will get you fired. | Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorlds...
---------------------------------------------
http://www.cio.com/article/3006147/security/10-dumb-security-mistakes-sys-admins-make.html#tk.rss_security


*** SANS Pentest Sumit: Evil DNS tricks by Ron Bowes - slide deck ***
---------------------------------------------
Things Im gonna talk about: * How to use DNS in pentesting * How to use DNSs indirect nature * DNS tunnelling (dnscat2)
---------------------------------------------
https://docs.google.com/presentation/d/1Jxh6PPO9JbUqXwOCTQFyA00uQoFMDBh-1PedDOp1Z0Y/edit?pli=1


*** Cyber Security Assessment Netherlands 2015: cross-border cyber security approach necessary ***
---------------------------------------------
The CSAN has five Core Findings: * Cryptoware and other ransomware constitute the preferred business model for cyber criminals * Geopolitical tensions manifest themselves increasingly often in (impending) digital security breaches * Phishing is often used in targeted attacks and can barely be recognised by users * Availability becomes more important as alternatives to IT systems are disappearing * Vulnerabilities in software are still the Achilles heel of digital security
---------------------------------------------
https://www.ncsc.nl/english/current-topics/Cyber+Security+Assessment+Netherlands/cyber-security-assessment-netherlands-2015%5B2%5D.html


*** Inside the Conficker-Infected Police Body Cameras ***
---------------------------------------------
A Florida integrator who discovered the Conficker worm lurking in body cameras meant for police use takes Threatpost inside the story, including a frustrating disclosure with a disbelieving manufacturer.
---------------------------------------------
http://threatpost.com/inside-the-conficker-infected-police-body-cameras/115407/


*** EMC VPLEX GeoSynchrony Default Log Level Lets Local Users View Passwords ***
---------------------------------------------
http://www.securitytracker.com/id/1034169


*** F5 security advisory: NTP vulnerability CVE-2015-5300 ***
---------------------------------------------
A man-in-the-middle attacker able to intercept network time protocol (NTP) traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value at any time.
---------------------------------------------
https://support.f5.com/kb/en-us/solutions/public/k/10/sol10600056.html?ref=rss


*** Atlassian Hipchat XSS to RCE ***
---------------------------------------------
Topic: Atlassian Hipchat XSS to RCE Risk: Medium Text:Two issues exist in Atlassian’s HipChat desktop client that allow an attacker to retrieve files or execute remote code when a...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015110164


*** [HTB23272]: RCE and SQL injection via CSRF in Horde Groupware ***
---------------------------------------------
Product: Horde Groupware v5.2.10 Vulnerability Type: Cross-Site Request Forgery [CWE-352]Risk level: High Creater: http://www.horde.orgAdvisory Publication: September 30, 2015 [without technical details]Public Disclosure: November 18, 2015 CVE Reference: CVE-2015-7984 CVSSv2 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H] Vulnerability Details: High-Tech Bridge Security Research Lab discovered three Cross-Site Request Forgery (CSRF) vulnerabilities in a popular collaboration...
---------------------------------------------
https://www.htbridge.com/advisory/HTB23272


*** Security Advisory - Information Leak Vulnerability in Huawei DSM Product ***
---------------------------------------------
There is a information leak vulnerability in DSM (Document Security Management) Product. The DSM does not clear the clipboard after data in a secure file opened using the DSM is copied and the secure file is closed. Data in the clipboard can be copied in common documents that do not use the DSM, leading to information leaks. (Vulnerability ID: HWPSIRT-2015-09009) Huawei has released software updates to fix these vulnerabilities.
---------------------------------------------
http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-462410.htm


*** Symantec Endpoint Protection Elevation of Privilege Issues SYM15-011 ***
---------------------------------------------
11/16/2015 - Assigned a new CVE ID, CVE-2015-8113 and Bugtraq ID 77585, to the SEP Client Binary Planting Partial Fix to differentiate between the original fix released in 12.1-RU6-MP1 and the updated issue and fix released in 12.1-RU6-MP3
---------------------------------------------
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20151109_00


*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco Firepower 9000 USB Kernel Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fire
---------------------------------------------
*** Cisco Firepower 9000 Command Injection at Management I/O Command-Line Interface Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151116-fire1
---------------------------------------------
*** Cisco Firepower 9000 Persistent Cross-Site Scripting Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower2
---------------------------------------------
*** Cisco Firepower 9000 Cross-Site Request Forgery Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower3
---------------------------------------------
*** Cisco Firepower 9000 Series Switch Clickjacking Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower4
---------------------------------------------
*** Cisco Firepower 9000 Arbitrary File Read Access Script Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151117-firepower1
---------------------------------------------


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-4852) ***
http://www.ibm.com/support/docview.wss?uid=swg21970575
---------------------------------------------
*** IBM Security Bulletin: IBM Sterling B2B Integrator has Cross Site Scripting vulnerabilities in Queue Watcher (CVE-2015-7431) ***
http://www.ibm.com/support/docview.wss?uid=swg21970676
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022835
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK 7 affect IBM Systems Director Storage Control (CVE-2015-2613 CVE-2015-2601 CVE-2015-2625 CVE-2015-1931 ) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022936
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Monitoring (CVE-2015-1829, CVE-2015-3183, CVE-2015-1283, CVE-2015-4947, CVE-2015-2808) ***
http://www.ibm.com/support/docview.wss?uid=swg21970056
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 1.5.0 and 1.7.0 affect IBM Flex System Manager (FSM) ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022820
---------------------------------------------