[CERT-daily] Tageszusammenfassung - 09.04.2018

Daily end-of-shift report team at cert.at
Mon Apr 9 18:06:16 CEST 2018


=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 06-04-2018 18:00 − Montag 09-04-2018 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ ARP Spoofing in 2018: are you protected?, (Mon, Apr 9th) ∗∗∗
---------------------------------------------
This week I was reminded how efficient ARP (Address Resolution Protocol) spoofing attacks might be. A single Android device equipped with offensive tools was enough to fool any device on a network and capture sensitive data. But wait, we are talking about a threat as old as ARP specification from 1982. There arent vulnerable networks to this nowadays, right? Wrong.
---------------------------------------------
https://isc.sans.edu/diary/rss/23533


∗∗∗ Hacked Website Trend Report – 2017 ∗∗∗
---------------------------------------------
We are proud to be releasing our latest Hacked Website Trend Report for 2017. This report is based on data collected and analyzed by the Sucuri Remediation Group (RG), which includes the Incident Response Team (IRT) and the Malware Research Team (MRT). The data presented stems from the analysis of 34,371 infected websites summarizing the latest trends by bad actors.
---------------------------------------------
https://blog.sucuri.net/2018/04/hacked-website-trend-report-2017.html


∗∗∗ The dots do matter: how to scam a Gmail user ∗∗∗
---------------------------------------------
I recently received an email from Netflix which nearly caused caused me to add my card details to someone else’s Netflix account. Here I show that this is a new kind of phishing scam which is enabled by an obscure feature of Gmail called “the dots don’t matter”. I then argue that the dots do matter, and that this Gmail feature is in fact a misfeature.
---------------------------------------------
https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user


∗∗∗ Event Log Auditing, Demystified ∗∗∗
---------------------------------------------
the topic of reviewing event logs has received a fair amount grunts, groans, and questions such as “You honestly expect us to review all of that data?!” or “We have so many systems! Where would we even begin?” or “We already have enough on our plate to worry about!”. Fortunately, the times have changed, and log aggregation has matured over a relatively short amount of time. Its existence alone however is not the complete answer to log auditing woes.
---------------------------------------------
https://medium.com/@jeremy.trinka/event-log-auditing-demystified-75b55879f069


∗∗∗ How to prevent bypassing AppLocker using Alternate Data Streams ∗∗∗
---------------------------------------------
I usually write my blog-posts in german. This one is in english, because Sami Laiho asked me to do a short write-up, to make this problem available to a broader audience. Who is affected and what’s the problem? If you are using AppLocker Application-Whitelisting using Path-Rules with Exceptions you are probably affected.
---------------------------------------------
https://hitco.at/blog/howto-prevent-bypassing-applocker-using-alternate-data-streams/


∗∗∗ Nicht bestellen bei salewaz.top! ∗∗∗
---------------------------------------------
Auf der Website salewaz.top findet man Kleidung und Sportausrüstung der bekannten Marke Salewa. Die Preise der Angebote sind um vieles niedriger als üblich für Salewa-Produkte, weshalb ein Kauf auf den ersten Blick attraktiv erscheint. KonsumentInnen sollten in diesem Shop auf keinen Fall bestellen, denn es handelt sich um betrügerische Anbieter und es wird trotz Bezahlung keine Ware verschickt.
---------------------------------------------
https://www.watchlist-internet.at/news/nicht-bestellen-bei-salewaztop/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Bugtraq: [RT-SA-2017-015] CyberArk Password Vault Memory Disclosure ∗∗∗
---------------------------------------------
Data in the CyberArk Password Vault may be accessed through a proprietary network protocol. While answering to a client's logon request, the vault discloses around 50 bytes of its memory to the client.
---------------------------------------------
http://www.securityfocus.com/archive/1/541931


∗∗∗ Bugtraq: [RT-SA-2017-014] CyberArk Password Vault Web Access Remote Code Execution ∗∗∗
---------------------------------------------
The CyberArk Password Vault Web Access application uses authentication tokens which consist of serialized .NET objects. By crafting manipulated tokens, attackers are able to gain unauthenticated remote code execution on the web server.
---------------------------------------------
http://www.securityfocus.com/archive/1/541932


∗∗∗ Authentication Bypass Vulnerability Found in Auth0 Identity Platform ∗∗∗
---------------------------------------------
A critical authentication bypass vulnerability has been discovered in one of the biggest identity-as-a-service platform Auth0 that could have allowed a malicious attacker to access any portal or application, which are using Auth0 service for authentication. Auth0 offers token-based authentication solutions for a number of platforms including the ability to integrate social media ...
---------------------------------------------
https://thehackernews.com/2018/04/auth0-authentication-bypass.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (openssl and zziplib), Debian (ldap-account-manager, ming, python-crypto, sam2p, sdl-image1.2, and squirrelmail), Fedora (bchunk, koji, libidn, librelp, nodejs, and php), Gentoo (curl, dhcp, libvirt, mailx, poppler, qemu, and spice-vdagent), Mageia (389-ds-base, aubio, cfitsio, libvncserver, nmap, and ntp), openSUSE (GraphicsMagick, ImageMagick, spice-gtk, and wireshark), Oracle (kubernetes), Slackware (patch), and SUSE (apache2 and openssl).
---------------------------------------------
https://lwn.net/Articles/751346/


∗∗∗ The BIG-IP DNS/GTM system may be exposed to DNS hijacking when the BIG-IP system host name belongs to a public domain name that the BIG-IP owner does not control ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K32518458


∗∗∗ Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi


∗∗∗ Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2


∗∗∗ Security Notice - Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2018/huawei-sn-20180104-01-intel-en


∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in Samba affect IBM i ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=nas8N1022524


∗∗∗ IBM Security Bulletin: Vulnerability in sendmail impacts AIX (CVE-2014-3956) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=isg3T1027341

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list