[CERT-daily] Tageszusammenfassung - 19.11.2018
Daily end-of-shift report
team at cert.at
Mon Nov 19 18:21:41 CET 2018
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 16-11-2018 18:00 − Montag 19-11-2018 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Schwere Sicherheitslücken in GPS-Kinderuhren ∗∗∗
---------------------------------------------
Eigentlich sollten GPS-Uhren die Sicherheit der Kinder erhöhen. Nun werden sie selbst zum Risiko.
---------------------------------------------
https://futurezone.at/digital-life/schwere-sicherheitsluecken-in-gps-kinderuhren/400326996
=====================
= Vulnerabilities =
=====================
∗∗∗ Synaccess netBooter NP-0801DU 7.4 CSRF Add Admin Exploit ∗∗∗
---------------------------------------------
The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5501.php
∗∗∗ Synaccess netBooter NP-02x/NP-08x 6.8 Authentication Bypass ∗∗∗
---------------------------------------------
netBooter suffers from an authentication bypass vulnerability due to missing control check when calling webNewAcct.cgi script while creating users. This allows an unauthenticated attacker to create admin user account and bypass authentication giving her the power to turn off a power supply to a resource.
---------------------------------------------
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5500.php
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (grafana and patch), Debian (chromium-browser), Fedora (cabextract, curl, elfutils, firefox, flatpak, glusterfs, kernel, kernel-headers, kernel-tools, kio-extras, libmspack, mariadb, mupdf, poppler, suricata, and wireshark), Mageia (hylafax+, jhead, libmspack/cabextract, nginx, sdl2/mingw-SDL2, and squid), openSUSE (amanda, apache-pdfbox, chromium, ImageMagick, LibreOffice and dependency libraries, libxkbcommon, openssh, systemd, and [...]
---------------------------------------------
https://lwn.net/Articles/772522/
∗∗∗ Serial number disclosure in the FortiOS PPTP server hostname protocol field ∗∗∗
---------------------------------------------
https://fortiguard.com/psirt/FG-IR-18-101
∗∗∗ Cross-site scripting (XSS) vulnerability via DHCP Hostname parameter ∗∗∗
---------------------------------------------
https://fortiguard.com/psirt/FG-IR-18-121
∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java SDK Affects IBM Algo Credit Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-java-sdk-affects-ibm-algo-credit-manager/
∗∗∗ IBM Security Bulletin: IBM API Connect is affected by a denial of service vulnerability via large JSON payloads (CVE-2018-1779) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-a-denial-of-service-vulnerability-via-large-json-payloads-cve-2018-1779/
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-performance-management-products/
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-affect-ibm-operational-decision-manager-5/
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-host-on-demand-2/
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1683, CVE-2018-8039) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-websphere-application-server-affect-ibm-spectrum-control-formerly-tivoli-storage-productivity-center-cve-2018-1683-cve-2018-8039/
∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Storage Manager FastBack (CVE-2018-1656, CVE-2018-12539) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-tivoli-storage-manager-fastback-cve-2018-1656-cve-2018-12539/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
More information about the Daily
mailing list