[CERT-daily] Tageszusammenfassung - 14.11.2017

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 13-11-2017 18:00 − Dienstag 14-11-2017 18:00
Handler:     Nina Bieringer
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Breaking security controls using subdomain hijacking ∗∗∗
---------------------------------------------
Users obtain a domain name to establish a unique identity on the
Internet. Domain names are not only used to serve names and addresses
of computers and services but also to store security controls, such as
SPF or CAA records. 
---------------------------------------------
https://securityblog.switch.ch/2017/11/14/subdomain-hijacking/


∗∗∗ Investigating Command and Control Infrastructure (Emotet) ∗∗∗
---------------------------------------------
Although the majority of botnets still use a basic client-server model,
with most relying on HTTP servers to receive commands, many prominent
threats now use more advanced infrastructure to evade endpoint
blacklisting and be resilient to take-down. In this article I will go
through and explain my process of identifying Command and Control (C2)
servers and understanding their topology, using Emotet as an example.
---------------------------------------------
https://www.malwaretech.com/2017/11/investigating-command-and-control-infrastructure-emotet.html


∗∗∗ XZZX Cryptomix Ransomware Variant Released ∗∗∗
---------------------------------------------
A new CryptoMix Ransomware variant has been discovered that appends the
.XZZX extension to encrypted files. This article will discuss the
changes found in this new variant.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ SQL Injection in bbPress ∗∗∗
---------------------------------------------
During regular audits of our Sucuri Firewall (WAF), one of our
researchers at the time, Slavco Mihajloski, discovered an SQL Injection
vulnerability affecting bbPress. If the proper conditions are met, this
vulnerability is very easy to abuse by any visitors on the victim’s
website. Because details about this vulnerability have been made public
today on a Hackerone report, and updating to the latest version of
WordPress fixes the root cause of the problem, we chose to disclose
this bug
---------------------------------------------
https://blog.sucuri.net/2017/11/sql-injection-bbpress.html


∗∗∗ Security Bulletins Posted ∗∗∗
---------------------------------------------
Adobe has published security bulletins for Flash Player (APSB17-33),
Photoshop CC (APSB17-34), Connect (APSB17-35), Acrobat and Reader
(APSB17-36), DNG Converter (APSB17-37), InDesign CC (APSB17-38),
Digital Editions (APSB17-39), Shockwave Player (APSB17-40) and Adobe
Experience Manager (APSB17-41).
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1510


∗∗∗ #AVGater: Systemübernahme via Quarantäne-Ordner ∗∗∗
---------------------------------------------
Eine neue Angriffstechnik nutzt die Wiederherstellungs-Funktion der
Anti-Viren-Quarantäne, um Systeme via Malware zu kapern. Bislang
reagierten sechs Software-Hersteller mit Updates.
---------------------------------------------
https://heise.de/-3889107


∗∗∗ Authentication bypass, cross-site scripting & code execution in
Siemens SICAM RTU SM-2556 ∗∗∗
---------------------------------------------
The Siemens SICAM RTUs SM-2556 COM Modules (firmware variants ENOS00,
ERAC00, ETA2, ETLS00, MODi00 and DNPi00) are affected by an
authentication bypass vulnerability as the authentication checks are
only performed client-side (JavaScript). Furthermore, the device is
affected by cross site scripting vulnerabilities and outdated webserver
software which allows code execution.
---------------------------------------------
https://www.sec-consult.com/en/blog/advisories/authentication-bypass-cross-site-scripting-in-siemens-sicam-rtus-sm-2556/index.html


∗∗∗ Vulnerability in windows antivirus products (IK-SA-2017-0002) ∗∗∗
---------------------------------------------
A privilege escalation and arbitrary write vulnerability was found in
all our windows antivirus products. [...]
Successful exploitation of this issue would allow an attacker to
overwrite any memory region (including kernel) in the client machine
with elevated privileges. 
---------------------------------------------
http://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-windows-antivirus-products-ik-sa-2017-0002/


∗∗∗ SAP Security Patch Day - November 2017 ∗∗∗
---------------------------------------------
On 14th of November 2017, SAP Security Patch Day saw the release of 13
Security Notes. Additionally, there were 9 updates to previously
released security notes.
---------------------------------------------
https://blogs.sap.com/2017/11/14/sap-security-patch-day-november-2017/


∗∗∗ DFN-CERT-2017-2025/">OTRS: Eine Schwachstelle ermöglicht das
Ausspähen von Informationen ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-2025/


∗∗∗ DFN-CERT-2017-2024/">Symantec Endpoint Encryption: Zwei
Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-2024/


∗∗∗ IBM Security Bulletin: Vulnerability may affect IBM® SDK for
Node.js™ (CVE-2017-14919) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22009851


∗∗∗ IBM Security Bulletin: IBM® Db2® is affected by vulnerabilities in
the IBM® SDK, Java Technology Edition Quarterly Critical Patch Updates
(CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22010282


∗∗∗ IBM Security Bulletin: Open Source VMware Fusion Vulnerabilities in
IBM Pure Application System (CVE-2017-4903, CVE-2017-4904,
CVE-2017-4905) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22009145


∗∗∗ Cacti Input Validation Flaw in Page Refresh Lets Remote Users
Conduct Cross-Site Scripting Attacks ∗∗∗
---------------------------------------------
http://www.securitytracker.com/id/1039774


∗∗∗ jQuery vulnerability CVE-2016-7103 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K95208524


∗∗∗ Java vulnerability CVE-2017-10135 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K23489380


∗∗∗ Java vulnerability CVE-2017-10198 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K04734043


∗∗∗ Java SE and JRockit vulnerability CVE-2017-10243 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K54747614

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily