[CERT-daily] Tageszusammenfassung - 26.09.2018

Wed Sep 26 18:17:34 CEST 2018

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 25-09-2018 18:00 − Mittwoch 26-09-2018 18:00
Handler:     Alexander Riepl
Co-Handler:  Robert Waldner

=====================
=       News        =
=====================

∗∗∗ Der nächste Meilenstein: [CERT.at #1000000] ∗∗∗
---------------------------------------------
Für unsere Kommunikation per E-Mail verwenden wir (wie viele Firmen) ein Ticketsystem, damit a) die Kommunikation für alle Teammitglieder nachvollziehbar ist, dass b) möglichst keine Anfragen unbeantwortet bleiben und c) der Workflow mit Meldung/Vorfall/Nachforschung abgebildet werden kann.
---------------------------------------------
http://www.cert.at/services/blog/20180926100651-2293.html


∗∗∗ Nach Safari und Chrome: Firefox ins Jenseits befördern ∗∗∗
---------------------------------------------
Mit einem präparierten Link kann Mozillas Firefox zum Absturz gebracht werden. Ähnliches hat ein Sicherheitsforscher zuvor mit Apples Safari und Googles Chrome gezeigt. Auf einer Webseite sammelt er die Lücken - mitsamt Absturz-Button.
---------------------------------------------
https://www.golem.de/news/nach-safari-und-chrome-firefox-ins-jenseits-befoerdern-1809-136775-rss.html


∗∗∗ New CVE-2018-8373 Exploit Spotted ∗∗∗
---------------------------------------------
On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability CVE-2018-8373 that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability. Its important to note that this exploit doesnt work on systems with updated Internet Explorer versions.
---------------------------------------------
https://blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted/


∗∗∗ Full compliance with the PCI DSS drops for the first time in six years ∗∗∗
---------------------------------------------
After documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years (2010 – 2016), Verizon’s 2018 Payment Security Report (PSR) now reveals a concerning downward trend with companies failing compliance assessments and perhaps, more importantly, not maintaining – full compliance. 
---------------------------------------------
https://www.helpnetsecurity.com/2018/09/26/pci-dss-compliance-drop/


∗∗∗ Gefälschte kabelplus-Phishingmail im Umlauf ∗∗∗
---------------------------------------------
Kriminelle versenden eine gefälschte kabelplus-Nachricht. Darin behaupten sie, dass „ihr Kabelplus Webmail (kabsi.at) Nachrichtenspeicher das Limit-Kontingent in unserer Datenbank erreicht“ hat. Aus diesem Grund sollen Kund/innen eine externe Website aufrufen und persönliche Daten bekannt geben. Diese übermitteln sie nicht an kabelplus, sondern an Kriminelle.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-kabelplus-phishingmail-im-umlauf/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Magecart Attacks Grow Rampant in September ∗∗∗
---------------------------------------------
Attacks that compromise websites with scripts that steal payment card data from checkout pages have increased to hundreds of thousands of attempts in little over a month. 
---------------------------------------------
https://www.bleepingcomputer.com/news/security/magecart-attacks-grow-rampant-in-september/


∗∗∗ VU#581311: TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks ∗∗∗
---------------------------------------------
TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks
The TP-LINK EAP Controller is TP-LINKs software for remotely controlling wireless access point devices. EAP Controller for Linux lacks user authentication for RMI service commands, as well as utilizes an outdated vulnerable version of Apache commons-collections, which may allow an attacker to implement deserialization attacks and control the EAP Controller server.
---------------------------------------------
http://www.kb.cert.org/vuls/id/581311


∗∗∗ One Emotet infection leads to three follow-up malware infections, (Wed, Sep 26th) ∗∗∗
---------------------------------------------
In recent weeks, I've generally seen Emotet retrieve Trickbot, the IcedID banking Trojan, or spambot malware for its follow-up infection.  I rarely see Emotet retrieve more than one type of follow-up malware.  But on Tuesday 2018-09-25, my infected lab host retrieved Trickbot and IcedID immediately after an Emotet infection.  Then IcedID caused another infection with AZORult on the same host.
---------------------------------------------
https://isc.sans.edu/diary/rss/24140


∗∗∗ eDirectory 9.1.1 Hot Patch 1 ∗∗∗
---------------------------------------------
This patch is an update to eDirectory 9.1 Support Pack 1 (9.1.1).
This update is being provided to resolve potential critical issues found since the latest patch
Architecture: x86-64
Security patch: Yes
Priority: Mandatory
---------------------------------------------
https://download.novell.com/Download?buildid=vP3nS-Hctkk~


∗∗∗ Stored Cross-Site Scripting in Kendo UI Editor ∗∗∗
---------------------------------------------
A cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application which allows attackers in the worst case to take over user sessions.
---------------------------------------------
https://www.sec-consult.com/en/blog/advisories/stored-cross-site-scripting-in-kendo-ui-editor-cve-2018-14037/


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (python2.7 and python3.4), openSUSE (php5-smarty3), Oracle (389-ds-base, flatpak, kernel, and nss), Red Hat (389-ds-base, chromium-browser, flatpak, kernel, kernel-alt, kernel-rt, nss, and qemu-kvm-ma), and SUSE (ant, dom4j, kernel, and wireshark).
---------------------------------------------
https://lwn.net/Articles/766746/


∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability Affects IBM WebSphere Portal (CVE-2018-1820) ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=ibm10732287


∗∗∗ IBM Security Bulletin: Security Vulnerability in Apache Batik Affects IBM WebSphere Portal (CVE-2018-8013) ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=ibm10731435


∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK Affect IBM Algo Credit Manager ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=ibm10728567


∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 7 & 8 Affect Transformation Extender ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=ibm10720173


∗∗∗ IBM Security Bulletin: Open Redirect Vulnerability in IBM WebSphere Portal (CVE-2018-1736) ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=ibm10729683


∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1716) ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=ibm10729323


∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=ibm10732916


∗∗∗ IBM Security Bulletin: Open Source Libvorbis, Patch and Python-paramiko vulnerabilities affect IBM Netezza Host Management ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=ibm10729297


∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1660) ∗∗∗
---------------------------------------------
https://www-01.ibm.com/support/docview.wss?uid=ibm10715923


∗∗∗ IBM Security Bulletin: Publicly disclosed vulnerability from BIND affect IBM Netezza Host Management ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=ibm10729637

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily