[CERT-daily] Tageszusammenfassung - Mittwoch 14-12-2016

Wed Dec 14 18:13:11 CET 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 13-12-2016 18:00 − Mittwoch 14-12-2016 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Facebook helps companies detect rogue SSL certificates for domains ***
---------------------------------------------
Facebook has launched a tool that allows domain name owners to discover TLS/SSL certificates that were issued without their knowledge.The tool uses data collected from the many Certificate Transparency logs that are publicly accessible. Certificate Transparency (CT) is a new open standard requiring certificate authorities to disclose the certificate that they issue.Until a few years ago, there was no way of tracking the certificates issued by every certificate authority (CA). At best,...
---------------------------------------------
http://www.cio.com/article/3149737/security/facebook-helps-companies-detect-rogue-ssl-certificates-for-domains.html#tk.rss_security


*** MS16-DEC - Microsoft Security Bulletin Summary for December 2016 - Version: 1.0 ***
---------------------------------------------
This bulletin summary lists security bulletins released for December 2016.
For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS16-DEC


*** Patchday: Kritische Lücken in Edge, Windows & Co. ***
---------------------------------------------
Microsoft veröffentlicht im Dezember insgesamt zwölf Sicherheitsupdates. Im schlimmsten Fall können Angreifer Computer von Opfern durch den bloßen Aufruf einer manipulierten Webseite kapern.
---------------------------------------------
https://heise.de/-3569916


*** MSRT December 2016 addresses Clodaconas, which serves unsolicited ads through DNS hijacking ***
---------------------------------------------
In this month's Microsoft Malicious Software Removal Tool (MSRT) release, we continue taking down unwanted software, the pesky threats that force onto our computers things that we neither want nor need. BrowserModifier:Win32/Clodaconas, for instance, displays ads when you're browsing the internet. It modifies search results pages so that you see unsolicited ads related to your...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2016/12/13/msrt-december-2016-addresses-clodaconas-which-serves-unsolicited-ads-through-dns-hijacking/


*** "Statistisch gesehen": Verschlüsselungstrojaner - ein Millionengeschäft ***
---------------------------------------------
Petya, Goldeneye - diese und andere Erpressungstrojaner haben weltweit viele Nutzer zur Kasse gebeten. Die Zahlungsmoral hängt nicht zuletzt von Empfehlungen der Behörden ab. Wie viel bisher wo gezahlt wurde, zeigt ein neues...
---------------------------------------------
https://heise.de/-3569888


*** Malvertising Campaign Infects Your Router Instead of Your Browser ***
---------------------------------------------
Malicious ads are serving exploit code to infect routers, instead of browsers, in order to insert ads in every site users are visiting. Discovered by security researchers from US security firm Proofpoint, this malvertising campaign is powered by a new exploit kit called DNSChanger EK. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malvertising-campaign-infects-your-router-instead-of-your-browser/


*** Modbus Stager: Using PLCs as a payload/shellcode distribution system ***
---------------------------------------------
This weekend I have been playing around with Modbus and I have developed a stager in assembly to retrieve a payload from the holding registers of a PLC. Since there are tons of PLCs exposed to the Internet, I thought whether it would be possible to take advantage of the processing and memory provided by them to store certain payload so that it can be recovered later (from the stager).
---------------------------------------------
http://www.shelliscoming.com/2016/12/modbus-stager-using-plcs-as.html


*** UAC Bypass in JScript Dropper ***
---------------------------------------------
What makes this sample different? After the classic execution of the PE files, it tries to bypass the Windows UAC using a "feature" present in eventvwr.exe. This system tool runs as a high integrity process and uses HKCU / HKCR registry hives to start mmc.exe which opens finally eventvwr.msc.
---------------------------------------------
https://isc.sans.edu/diary/UAC+Bypass+in+JScript+Dropper/21813


*** Sophos schließt Dirty-Cow-Lücke in Sicherheitspaket UTM ***
---------------------------------------------
Die Unified-Thread-Management-Lüsung von Sophos bekommt Sicherheitsupdates, die mehrere Schwachstellen schließen.
---------------------------------------------
https://heise.de/-3570179


*** Electronic Safe Lock Analysis: Part 2 ***
---------------------------------------------
After performing an initial tear-down, we were able to map out the device's behaviors and attack surface. We then narrowed our efforts on analyzing the device's BLE wireless communication. The Prologic B01's main feature is that it can be unlocked by a mobile Android or iOS device over BLE. The end result was a fully-automated attack that allows us to remotely compromise any Prologic B01 lock up to 100 yards away.
---------------------------------------------
http://www.somersetrecon.com/blog/2016/10/14/electronic-safe-lock-analysis-part-2-


*** Microsoft Fixes Windows 10 Issue That Knocked People off the Internet ***
---------------------------------------------
Microsft has released KB3206632, a Windows update that fixes an issue introduced in an earlier update that crashed the CDPSVC service and prevented some users from receiving IP address information via the DCHP protocol, used by both home and enterprise-grade routers to connect users to the Internet. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-10-issue-that-knocked-people-off-the-internet/


*** Xen Security Advisory 200 (CVE-2016-9932) - x86 CMPXCHG8B emulation fails to ignore operand size override ***
---------------------------------------------
Impact: A malicious unprivileged guest may be able to obtain sensitive information from the host.
---------------------------------------------
http://seclists.org/oss-sec/2016/q4/662


*** PHP: imagefilltoborder stackoverflow on truecolor images (CVE 2016-9933) ***
---------------------------------------------
Invalid color causes stack exhaustion by recursive call to function gdImageFillToBorder when the image used is truecolor. This was tested on a 64 bits platform.
---------------------------------------------
https://bugs.php.net/bug.php?id=72696


*** Joomla! Security Announcements ***
---------------------------------------------
*** [20161203] - Core - Information Disclosure ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/EY3UcBwQtzI/666-20161203-core-information-disclosure.html
---------------------------------------------
*** [20161202] - Core - Shell Upload ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/fI7Ty93n-Rk/665-20161202-core-shell-upload.html
---------------------------------------------
*** [20161201] - Core - Elevated Privileges ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/OjvlaBoXTCU/664-20161201-core-elevated-privileges.html
---------------------------------------------
*** [20161204] - Misc. Security Hardening ***
http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/jYB3ItEGbWQ/667-20161204-misc-security-hardening.html
---------------------------------------------


*** Novell Patches ***
---------------------------------------------
*** Filr 2.0 - Security Update 3 ***
https://download.novell.com/Download?buildid=Am-_TGOll0g~
---------------------------------------------
*** Filr 3.0 - Security Update 1 ***
https://download.novell.com/Download?buildid=Qct0ao9jRAI~
---------------------------------------------
*** IDM 4.5 Delimited Text Driver 4.0.2.0 ***
https://download.novell.com/Download?buildid=hX_xlukrkNY~
---------------------------------------------


*** Huawei Security Advisories ***
---------------------------------------------
*** Security Advisory - Buffer Overflow Vulnerability in Wi-FI Driver of Huawei Smart Phone ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-02-smartphone-en
---------------------------------------------
*** Security Advisory - DoS Vulnerability in Huawei Firewall ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-01-firewall-en
---------------------------------------------
*** Security Advisory - E-mail Information Leak Vulnerability in Android System ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-01-smartphone-en
---------------------------------------------
*** Security Advisory - Memory Leak Vulnerability in Some Huawei Products ***
http://www.huawei.com/en/psirt/security-advisories/2016/huawei-sa-20161214-01-ldp-en
---------------------------------------------


*** ICS-CERT Advisories ***
---------------------------------------------
*** Visonic PowerLink2 Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-01
---------------------------------------------
*** Moxa DACenter Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-02
---------------------------------------------
*** Delta Electronics WPLSoft, ISPSoft, and PMSoft Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-03
---------------------------------------------
*** Siemens SIMATIC WinCC and SIMATIC PCS 7 ActiveX Vulnerability ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-04
---------------------------------------------
*** Siemens S7-300/400 PLC Vulnerabilities ***
https://ics-cert.us-cert.gov/advisories/ICSA-16-348-05
---------------------------------------------


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Oct 2016 - Includes Oracle Oct 2016 CPU affect Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg21988356
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Asset analyzer. (CVE-2016-5597) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995883
---------------------------------------------
*** IBM Security Bulletin: Sweet32 Birthday attacks on 64-bit block ciphers in TLS affect Content Manager for z/OS (CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21995455
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in BIND affects IBM Netezza Host Management ***
http://www.ibm.com/support/docview.wss?uid=swg21994505
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009647
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009554
---------------------------------------------
*** IBM Security Bulletin: Multiple Security Vulnerabilities in OpenSSL affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) ***
http://www.ibm.com/support/docview.wss?uid=swg21995129
---------------------------------------------
*** IBM Security Bulletin: Password disclosure vulnerability in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware vSphere GUI (CVE-2016-6034) ***
http://www.ibm.com/support/docview.wss?uid=swg21995544
---------------------------------------------
*** IBM Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-5986 ***
http://www.ibm.com/support/docview.wss?uid=swg21995745
---------------------------------------------
*** IBM Security Bulletin: Potential Information Disclosure in WebSphere Application Server ***
http://www-01.ibm.com/support/docview.wss?uid=swg21991469
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities affect IBM Spectrum Control formerly Tivoli Storage Productivity Center (CVE-2016-8941, CVE-2016-8942, CVE-2016-8943) ***
http://www.ibm.com/support/docview.wss?uid=swg21995128
---------------------------------------------