[CERT-daily] Tageszusammenfassung - Donnerstag 15-09-2016

Thu Sep 15 18:04:45 CEST 2016

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 14-09-2016 18:00 − Donnerstag 15-09-2016 18:00
Handler:     Alexander Riepl
Co-Handler:  n/a


*** Cisco IOS and IOS XE Software IOx Local Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability in the web framework code of the Cisco Local Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of the affected ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160914-ios


*** Cisco WebEx Meetings Server Remote Command Execution Vulnerability ***
---------------------------------------------
A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to bypass security restrictions on a host located in a DMZ and inject arbitrary commands on a targeted system.The vulnerability is due ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160914-wem


*** Cisco Unified Computing System Command Line Interface Privilege Escalation Vulnerability ***
---------------------------------------------
A vulnerability in the command-line interface (CLI) of the Cisco Unified Computing System (UCS) Manager and UCS 6200 Series Fabric Interconnects could allow an authenticated, local attacker to access the underlying operating system ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160914-ucs


*** Cisco Fog Director for IOx Arbitrary File Write Vulnerability ***
---------------------------------------------
A vulnerability in the Cisco Fog Director for IOx could allow an authenticated, remote attacker to write a file to arbitrary locations. The vulnerability is due to insufficient input validation. An attacker could exploit this ..
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160914-ioxfd


*** iOS 10 schließt Sicherheitslücken in Tastatur und Sandbox ***
---------------------------------------------
Das Update auf iOS 10.0.1 räumt sieben Schwachpunkte aus, darunter eine mögliche Preisgabe 'sensibler Informationen' durch die Autokorrektur des Keyboards. watchOS 3 stopft eine Lücke.
---------------------------------------------
http://heise.de/-3323066


*** DSA-3666 mysql-5.5 - security update ***
---------------------------------------------
Dawid Golunski discovered that the mysqld_safe wrapper provided by theMySQL database server insufficiently restricted the load path for custommalloc implementations, which could result in privilege escalation.
---------------------------------------------
https://www.debian.org/security/2016/dsa-3666


*** Science press site hacked; hackers release .. random crap ***
---------------------------------------------
http://arstechnica.com/science/2016/09/science-press-site-hacked-hackers-release-random-crap/


*** Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation ***
---------------------------------------------
All cryptocurrencies are a target for cybercriminals. Anywhere there is value, criminals, fraudsters, and charlatans will soon follow. Call it the Willie Sutton principle. Sutton, a famous bank robber in the 1920s–30s, was asked why he ..
---------------------------------------------
https://blogs.mcafee.com/mcafee-labs/cryptocurrencies-a-target-for-cybercriminals-part-1-the-risks-of-innovation/


*** Russian Hackers Get Bolder in Anti-Doping Agency Attack ***
---------------------------------------------
The attack on the World Anti-Doping Agency, following the DNC hack, signals Russian hackers emerging from the shadows to brazenly flaunt their work.
---------------------------------------------
https://www.wired.com/2016/09/anti-doping-agency-attack-shows-russian-hackers-getting-bolder/


*** Virtueller Schiffsdiebstahl bei Star Citizen ***
---------------------------------------------
Im bisher noch unfertigen Weltraumepos Star Citizen kann man für hunderte Euros virtuelle Raumschiffe kaufen. Nun häufen sich anscheinend Angriffe auf die Konten der Spieler, mit dem Ziel, diese Schiffe zu klauen.
---------------------------------------------
http://heise.de/-3323060


*** DSA-3667 chromium-browser - security update ***
---------------------------------------------
https://www.debian.org/security/2016/dsa-3667


*** Erpressungs-Trojaner Locky nun mit Autopilot ***
---------------------------------------------
Sicherheitsforschern zufolge kann Locky sein Schadenswerk jetzt auch offline ohne Kontakt zum Command-and-Control-Server der Kriminellen verrichten.
---------------------------------------------
http://heise.de/-3324553