[CERT-daily] Tageszusammenfassung - Freitag 30-06-2017

Fri Jun 30 18:16:31 CEST 2017

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 29-06-2017 18:00 − Freitag 30-06-2017 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Eternal Champion Exploit Analysis ***
---------------------------------------------
Recently, a group named the ShadowBrokers published several remote server exploits targeting various protocols on older versions of Windows. In this post we are going to look at the EternalChampion exploit in detail to see what vulnerabilities it exploited, how it exploited them, and how the latest mitigations in Windows 10 break the exploit as-written....
---------------------------------------------
https://blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis/


*** Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone ***
---------------------------------------------
A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/


*** Sicherheitsupdates angekündigt: Ciscos IOS-System ist für Schadcode anfällig ***
---------------------------------------------
Bisher können Betroffene die Bedrohung durch neu entdeckte Schwachstellen in Ciscos IOS und IOS EX nur über Workarounds eindämmen. Sicherheitspatches sollen folgen.
---------------------------------------------
https://heise.de/-3759927


*** e-Government in Deutschland: Kritische Schwachstellen in zentraler Transportkomponente ***
---------------------------------------------
You can find the English version of this post here containing further technical details.Die "OSCI-Transport" Java-Bibliothek ist eine Kernkomponente im deutschen e-Government. Schwachstellen in dieser Komponente erlauben es einem Angreifer, bestimmte zwischen Behörden ausgetauschte Informationen zu entschlüsseln oder zu manipulieren bzw. sogar Daten von Behördenrechnern auszulesen.OSCI-Transport ist ein Protokoll, das dazu dient Daten zwischen Behörden sicher [...]
---------------------------------------------
http://blog.sec-consult.com/2017/06/e-government-in-deutschland-schwachstellen.html


*** Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation ***
---------------------------------------------
On May 12, there was a major outbreak of WannaCrypt ransomware. WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers. Using ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven't...
---------------------------------------------
https://blogs.technet.microsoft.com/mmpc/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/


*** Eternal Blues: A free EternalBlue vulnerability scanner ***
---------------------------------------------
It is to be hoped that after the WannaCry and NotPetya outbreaks, companies will finally make sure to install - on all their systems - the Windows update that patches SMB vulnerabilities leveraged by the EternalBlue and EternalRomance exploits. These exploits are currently available to practically any hacker who might want to use them, and protecting systems against them should be a must for every organization. But while bigger ones might have an IT department [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/06/30/eternal-blues-eternalblue-vulnerability-scanner/


*** Cyber Europe 2016: Key lessons from a simulated cyber crisis ***
---------------------------------------------
Today marks the end of the latest cyber crisis exercise organised by ENISA, with the release of the after action report and closure video of Cyber Europe 2016.
---------------------------------------------
https://www.enisa.europa.eu/news/enisa-news/cyber-europe-2016-key-lessons-from-a-simulated-cyber-crisis


*** TeleBots are back: supply-chain attacks against Ukraine ***
---------------------------------------------
The latest Petya-like outbreak has gathered a lot of attention from the media. However, it should be noted that this was not an isolated incident: this is the latest in a series of similar attacks in Ukraine. This blogpost reveals many details about the Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya) outbreak and related information about previously unpublished attacks.
---------------------------------------------
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/


*** How Malicious Websites Infect You in Unexpected Ways ***
---------------------------------------------
You probably spend most of your time on a PC browsing, whether that is Facebook, news or just blogs or pages that appeal to your particular interest. If a malicious hacker wants to break into your computer and scramble the kilobytes that make up your digital life, his starting point will be to create a [...]
---------------------------------------------
https://heimdalsecurity.com/blog/malicious-websites/


*** SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software ***
---------------------------------------------
The Simple Network Management Protocol(SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp


*** Schneider Electric U.motion Builder ***
---------------------------------------------
This advisory contains mitigation details for SQL injection, path traversal, improper authentication, use of hard-coded password, improper access control, denial of service, and information disclosure vulnerabilities in Schneider Electric's U.motion Builder.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-180-02


*** BIND TSIG Authentication Bugs Let Remote Users Bypass Authentication to Transfer or Modify Zone Conetnt ***
---------------------------------------------
http://www.securitytracker.com/id/1038809


*** SSA-545214 (Last Update 2017-06-29): Vulnerability in ViewPort for Web Office Portal ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-545214.pdf


*** SSA-874235 (Last Update 2017-06-29): Intel Vulnerability in Siemens Industrial Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235.pdf


*** 2017-06-16 (updated 2017-06-30): Cyber Security Notification - CrashOverride/Industroyer Malware ***
---------------------------------------------
http://search.abb.com/library/Download.aspx?DocumentID=9AKK107045A1003&LanguageCode=en&DocumentPartId=&Action=Launch


*** [2017-06-30] Multiple critical vulnerabilities in OSCI-Transport library 1.2 for German e-Government ***
---------------------------------------------
The OSCI-transport library 1.2, a core component of Germanys e-government infrastructure, is affected by XXE, padding oracle and signature wrapping. These vulnerabilities could be used to read local files from OSCI-systems, decrypt certain parts of a message or, under specific circumstances, even to forge messages.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170630-0_KOSIT_XOEV_OSCI-Transport_library_critical_vulnerabilities_german_egovernment_v10.txt


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin:OpenSource ICU4C Vulnernabilties in IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg21996949
---------------------------------------------
*** IBM Security Bulletin:Cross-site scripting vulnerability in WebSphere Application Server admin console in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998348
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg21996957
---------------------------------------------
*** IBM Security Bulletin: WebSphere Application Server vulnerability with malformed SOAP requests in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998347
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999097
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Microsoft SharePoint ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999099
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for File Systems ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999105
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999106
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache PDFBox Vulnerability in IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg21991027
---------------------------------------------
*** IBM Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg21999098
---------------------------------------------
*** IBM Security Bulletin: zlib vulnerability may affect IBM SDK, Java Technology Edition ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004465
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Intel Ethernet Controller XL710 affects IBM MQ Appliance ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002763
---------------------------------------------
*** IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Security Guardium (CVE-2017-1256) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004461
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in openssl, gnutl, mysql, kernel, glibc, ntp shipped with SmartCloud Entry Appliance ***
http://www.ibm.com/support/docview.wss?uid=isg3T1025342
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect Content Collector for IBM Connections ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001465
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM eDiscovery Analyzer ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001458
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Microsoft SharePoint ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001455
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for File Systems ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001463
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2017 - Includes Oracle Jan 2017 CPU affect IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001460
---------------------------------------------
*** IBM Security Bulletin: WebSphere Application Server vulnerability in IBM Content Collector for Email ***
https://www-01.ibm.com/support/docview.wss?uid=swg21998346
---------------------------------------------
*** IBM Security Bulletin: SQL Injection vulnerability affects IBM Security Guardium (CVE-2017-1269) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004462
---------------------------------------------
*** IBM Security Bulletin: Missing Authentication for Critical Function affects IBM Security Guardium (CVE-2017-1258) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22004309
---------------------------------------------
*** IBM Security Bulletin: IBM InfoSphere Guardium is affected by Cleartext Transmission of Sensitive Information vulnerability (CVE-2016-0238 ) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21989124
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM HTTP Server affects Netezza Performance Portal (CVE-2015-8743) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003173
---------------------------------------------