[CERT-daily] Tageszusammenfassung - Freitag 2-10-2015

Fri Oct 2 18:07:46 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 01-10-2015 18:00 − Freitag 02-10-2015 18:00
Handler:     Alexander Riepl
Co-Handler:  n/a


*** Multiple XSS vulnerabilities in FortiSandbox WebUI ***
---------------------------------------------
http://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortisandbox-webui


*** ZebOS routing remote shell service enabled ***
---------------------------------------------
http://www.fortiguard.com/advisory/zebos-routing-remote-shell-service-enabled


*** Security advisory: Stored XSS in Jetpack ***
---------------------------------------------
During a routine audit for our WAF, we discovered a critical stored XSS affecting the Jetpack WordPress plugin, one of the most popular plugins in the WordPress ecosystem.
---------------------------------------------
https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-jetpack.html


*** When Security Experts Gather to Talk Consensus, Chaos Ensues ***
---------------------------------------------
Tension between researchers and vendors over the disclosure of software security vulnerabilities has raged for two decades. A meeting to address that tension further highlighted the tension.
---------------------------------------------
http://www.wired.com/2015/10/security-experts-gather-talk-consensus-chaos-ensues/


*** Avast Antivirus X.509 Error Rendering Command Execution ***
---------------------------------------------
https://cxsecurity.com/issue/WLB-2015100017


*** T-Mobile USA: Millionen Kundendaten gehackt ***
---------------------------------------------
Rund 15 Millionen Kunden von T-Mobile in den USA sind von einem Hack persönlicher Daten betroffen. Die Informationen wurden nicht bei T-Mobile direkt erbeutet, sondern bei Experian, einem Dienst zur Prüfung der Bonität potenzieller Kunden.
---------------------------------------------
http://www.golem.de/news/t-mobile-usa-millionen-kundendaten-gehackt-1510-116647.html


*** FourQ: Microsofts kryptografischer Standard will besser sein ***
---------------------------------------------
Microsoft steigt in die Elliptische-Kurven-Kryptografie ein und hat eine entsprechende Bibliothek veröffentlicht: FourQ soll teilweise deutlich schneller sein als bisherige Ansätze.
---------------------------------------------
http://heise.de/-2836389


*** IoT-Malware: Freundlicher Virus verspricht mehr Sicherheit ***
---------------------------------------------
Sicherheitstipps und deaktivierte Telnet-Daemons: Eine neue Malware möchte Internetnutzer erziehen. Die Entdecker raten trotzdem dazu, das Programm zu entfernen.
---------------------------------------------
http://www.golem.de/news/iot-malware-freundlicher-virus-verspricht-mehr-sicherheit-1510-116654.html


*** Cisco Wireless LAN Controller Devices 802.11i Management Frame Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=41249


*** Cisco Unified Communications Manager IM and Presence Service REST API Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/viewAlert.x?alertId=41242


*** Omron Multiple Product Vulnerabilities ***
---------------------------------------------
This advisory provides mitigation details for vulnerabilities in the Omron Corporation CX-Programmer software, CJ2M series programmable logic controller (PLC), and CJ2H series PLC.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-274-01


*** How Patreon got hacked ***
---------------------------------------------
TL;DR, Patreon got hacked. We reported a specific Remote Code Execution to them due to a public debugger before they were breached. We believe this was the attack method due to the simplicity and availability of the vulnerable endpoint. This is how you prevent this from happening to you.
---------------------------------------------
http://labs.detectify.com/post/130332638391/how-patreon-got-hacked-publicly-exposed-werkzeug