[CERT-daily] Tageszusammenfassung - Mittwoch 22-03-2017

Wed Mar 22 18:11:18 CET 2017

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 21-03-2017 18:00 − Mittwoch 22-03-2017 18:00
Handler:     Robert Waldner
Co-Handler:  n/a


*** Cybellum verkauft Autostart-Funktion als Zero-Day ***
---------------------------------------------
Mit kräftigen Worten, einem eigenen Namen und Logo und dem Prädikat "Zero-Day" stellt Cybellum eine Technik vor, mit der sich Malware in einem Windows-System verankern lässt -- nachdem es bereits die Kontrolle übernommen hat.
---------------------------------------------
https://heise.de/-3662090


*** QNAP Storage Devices Multiple Flaws Let Remote Users Inject SQL Commands, Steal Cookies, Conduct Cross-Site Scripting and Clickjacking Attacks, Obtain Potentially Sensitive Informaiton, and Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1038091


*** Vuln: Malware Information Sharing Platform CVE-2017-7215 Multiple Cross Site Scripting Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/96997


*** Vuln: Rockwell Automation FactoryTalk Activation CVE-2017-6015 Local Privilege Escalation Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/96996


*** Security Advisory - Information Leak Vulnerability in Huawei Hilink APP ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170322-01-hilinkapp-en


*** Security Advisory - Phone Finder Bypass Vulnerability in Some Huawei Smart Phones ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170322-01-smartphone-en


*** Phishingversuch bei der FH Oberösterreich ***
---------------------------------------------
In einer gefälschten FH OOE IT-SERVICE DESK-Nachricht heißt es, dass Empfänger/innen ihr Webmail-Konto bestätigen müssen. Dazu sollen sie eine Website aufrufen und ihre Zugangsdaten bekannt geben. Es handelt sich um einen Phishingversuch. Wer der Aufforderung nachkommt, übermittelt Kriminellen die Zugangsdaten des FH OÖ-Webmailkontos.
---------------------------------------------
https://www.watchlist-internet.at/phishing/phishingversuch-bei-der-fh-oberoesterreich/


*** Avatar Rootkit: Dropper Analysis Part 2 ***
---------------------------------------------
In this second article on the dropper, we will resume our analysis right where we left off: the decryption of the key and data. After the decryption, two structures are initialized. The equivalent pseudo-code is presented below.
---------------------------------------------
http://resources.infosecinstitute.com/avatar-rootkit-dropper-analysis-part-2/


*** Security Advisory - Sixteen OpenSSL Vulnerabilities on Some Huawei products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170322-01-openssl-en


*** Intermediate Mitigation Measures May be Required for Apache Struts Vulnerabilities ***
---------------------------------------------
The general consensus among InfoSec professionals is to patch critical vulnerabilities such as Apache Struts as soon as a patch is made available by the vendor. So why mightn't your company simply patch Apache Struts and go on your merry way? Not all events can be remediated immediately. Very often, intermediate mitigation measures must be taken to lower the risk of exploit and protect assets very quickly.
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/intermediate-mitigation-measures-may-be-required-for-apache-struts-vulnerabilities


*** Passwortklau-Lücke in Lastpass geschlossen (oder auch nicht) ***
---------------------------------------------
Eine Sicherheitslücke im Passwort-Manager Lastpass erlaubt das Auslesen von Passwörtern. Unter Umständen kann der Angreifer auch Code ausführen. Es gibt Berichte, dass der Fix von Lasspass die Lücke bisher nicht erfolgreich geschlossen hat.
---------------------------------------------
https://heise.de/-3661616


*** Code Execution Vulnerability Found in Libpurple IM Library ***
---------------------------------------------
A severe vulnerability has been disclosed in libpurple, the library used in the development of a number of popular instant messaging clients, including Pidgin and Adium for the macOS platform. Adium 1.5.10.2 is vulnerable and can be exploited to run arbitrary code remotely. ... Pidgin has been patched in version 2.12.0.
---------------------------------------------
https://threatpost.com/code-execution-vulnerability-found-in-libpurple-im-library/124448/


*** Vuln: D-Link DIR-600M CVE-2017-5874 Cross Site Request Forgery Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/96999


*** Apple-Erpressung: Hacker drohen angeblich mit Fernlöschung von iPhones ***
---------------------------------------------
Das Ändern der PIN aus der Ferne ist bei iPhone und iPad allerdings nur möglich, wenn der Nutzer keine Code-Sperre für sein Gerät eingerichtet hat - die Aktivierung der Code-Sperre ist auch deshalb dringend zu empfehlen. Um den Zugriff auf die eigenen iCloud-Daten besser zu schützen, sollte Apples Zwei-Faktor-Authentifizierung aktiviert werden. Die Sicherheitsfunktion hilft allerdings nicht gegen das Fernsperren und Fernlöschen...
---------------------------------------------
https://www.heise.de/mac-and-i/meldung/Apple-Erpressung-Hacker-drohen-angeblich-mit-Fernloeschung-von-iPhones-3661884.html


*** SAP Vulnerability Puts Business Data at Risk for Thousands of Companies ***
---------------------------------------------
Researchers at ERPScan today disclosed details and a proof-of-concept exploit for a SAP GUI remote code execution vulnerability patched last week.
---------------------------------------------
http://threatpost.com/sap-vulnerability-puts-business-data-at-risk-for-thousands-of-companies/124473/


*** Cisco Security Advisories ***
---------------------------------------------
*** Cisco IOS and IOS XE Software DHCP Client Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-dhcpc
---------------------------------------------
*** Cisco IOS XE Software for Cisco ASR 920 Series Routers Zero Touch Provisioning Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-ztp
---------------------------------------------
*** Cisco IOS XE Software HTTP Command Injection Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-xeci
---------------------------------------------
*** Cisco IOS XE Software Web User Interface Denial of Service Vulnerability ***
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-webui
---------------------------------------------
*** Cisco IOS and IOS XE Software Layer 2 Tunneling Protocol Denial of Service Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-l2tp
---------------------------------------------
*** Cisco IOx Data in Motion Stack Overflow Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-iox
---------------------------------------------
*** Cisco Application-Hosting Framework Directory Traversal Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf1
---------------------------------------------
*** Cisco Application-Hosting Framework Arbitrary File Creation Vulnerability ***
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170322-caf2
---------------------------------------------


*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager ***
https://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=migr-5099552
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-6056) ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010022
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Sterling Connect:Direct for HP NonStop (CVE-2016-7055, CVE-2017-3732) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000456
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access ***
http://www.ibm.com/support/docview.wss?uid=swg21999797
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities CVE-2016-0736, CVE-2016-2161 and CVE-2016-8743 in IBM i HTTP Server ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021918
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Open Source Samba, NTP and ISC BIND affect IBM Netezza Host Management ***
http://www-01.ibm.com/support/docview.wss?uid=swg21997024
---------------------------------------------