From team at cert.at Mon Dec 2 18:06:41 2019 From: team at cert.at (Daily end-of-shift report) Date: Mon, 2 Dec 2019 18:06:41 +0100 Subject: [CERT-daily] Tageszusammenfassung - 02.12.2019 Message-ID: <15753064010.Ccd16c.11648@taranis> ===================== = End-of-Day report = ===================== Timeframe: Freitag 29-11-2019 18:00 − Montag 02-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cybercrime-Bericht 2018: Kriminalität im Netz bleibt große Herausforderung ∗∗∗ --------------------------------------------- Auch im Jahr 2018 verzeichnete das Cybercrime Competence Center (C4) des Bundeskriminalamtes eine Zunahme von Cybercrime Delikten. Im Vergleich zum Vorjahr wurde ein Anstieg von 16,8 Prozent registriert, vorwiegend im Bereich Internetbetrug. --------------------------------------------- http://www.bmi.gv.at/news.aspx?id=6D4D326A543767595673593D ∗∗∗ Analysis of Malicious ElectrumX Servers Source Code ∗∗∗ --------------------------------------------- Recently I have found some malicious ElectrumX nodes in the Electrum network that are still being connected by the Electrum software. In this post I share some information about these nodes and the ElectrumX patched code that they execute. --------------------------------------------- http://www.peppermalware.com/2019/12/analysis-of-malicious-electrumx-servers.html ∗∗∗ Polizei warnt vor professionellen Fake-Shops im Internet ∗∗∗ --------------------------------------------- In der Weihnachtszeit wird kräftig online eingekauft. Das machen sich auch Betrüger zunutze. Experten der Polizei warnen gerade jetzt vor deren Maschen. --------------------------------------------- https://heise.de/-4600046 ∗∗∗ Insight into NIS Directive sectoral incident response capabilities ∗∗∗ --------------------------------------------- The report provides a deeper insight into NISD sectoral Incident Response capabilities, procedures, processes and tools to identify the trends and possible gaps and overlaps. --------------------------------------------- https://www.helpnetsecurity.com/2019/12/02/nis-directive-incident-response/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Critical Vulnerabilities in SALTO ProAccess SPACE ∗∗∗ --------------------------------------------- In the software SALTO ProAccess Space ... multiple typical web application vulnerabilities got identified. An authenticated attacker was able to exploit a path traversal vulnerability to backup arbitrary files into the web root. This allowed an attacker to export the database into the web root and download it. Furthermore, it was possible to combine another export feature with the path traversal vulnerability to write arbitrary contents to arbitrary locations on the backend Windows server. --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilities-in-salto-proaccess-space/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (389-ds-base, asterisk, file, nss, proftpd-dfsg, ssvnc, and tnef), Fedora (chromium, djvulibre, freeradius, ImageMagick, jhead, kernel, phpMyAdmin, python-pillow, and rubygem-rmagick), Mageia (bzip2, chromium-browser-stable, curl, dbus, djvulibre, glib2.0, glibc, gnupg2, httpie, libreoffice, libssh2, mosquitto, nginx, python-sqlalchemy, unbound, and zipios++), openSUSE (bluez, clamav, cpio, freerdp, openafs, phpMyAdmin, strongswan, and webkit2gtk3), --------------------------------------------- https://lwn.net/Articles/806079/ ∗∗∗ Multiple Cisco Analog Telephone Adapters Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-rce ∗∗∗ Cisco Webex Teams and Cisco Webex Meetings Client DLL Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191120-webex-teams-dll -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Tue Dec 3 18:15:08 2019 From: team at cert.at (Daily end-of-shift report) Date: Tue, 3 Dec 2019 18:15:08 +0100 Subject: [CERT-daily] Tageszusammenfassung - 03.12.2019 Message-ID: <15753933080.5f3D17E6e.869@taranis> ===================== = End-of-Day report = ===================== Timeframe: Montag 02-12-2019 18:00 − Dienstag 03-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Strandhogg: Sicherheitslücke in Android wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Unter Android können sich Schad-Apps als legitime Apps tarnen und weitere Berechtigungen anfordern. Die Strandhogg genannte Sicherheitslücke wird bereits aktiv ausgenutzt und eignet sich beispielsweise für Banking-Trojaner. Einen Patch gibt es nicht. ... Die Sicherheitsfirma Lookout konnte bereits 36 Apps ausfindig machen, die die Sicherheitslücke ausnutzen. Die betroffenen Apps nennt die Sicherheitsfirma allerdings nicht. Diese seien zum Teil auch im Google Play Store zu finden gewesen, allerdings hätten sie die Schadsoftware nicht enthalten, sondern diese erst nach der Installation nachgeladen - sogenannte Dropper-Apps. Google hat die betroffenen Apps nach einem Hinweis aus dem Play Store gelöscht. --------------------------------------------- https://www.golem.de/news/strandhogg-sicherheitsluecke-in-android-wird-aktiv-ausgenutzt-1912-145322-rss.html ∗∗∗ Network traffic analysis for Incident Response (IR): TLS decryption ∗∗∗ --------------------------------------------- e post Network traffic analysis for Incident Response (IR): TLS decryption appeared first on Infosec Resources.Network traffic analysis Over the years, the use of TLS has grown dramatically, with over half of websites using HTTPS by default. However, situations exist where it is useful to be able to decrypt this traffic. For example, many organizations perform deep packet inspection (DPI) in order to detect and block potentially malicious traffic. --------------------------------------------- https://resources.infosecinstitute.com/network-traffic-analysis-for-incident-response-ir-tls-decryption/ ∗∗∗ Another Fake Google Domain: fonts[.]googlesapi[.]com ∗∗∗ --------------------------------------------- Our Remediation team lead Ben Martin recently found a fake Google domain that is pretty convincing to the naked eye. The malicious domain was abusing the URL shortener service is.gd: shortened URLs were being injected into the posts table of the client’s WordPress database. Whenever the infected WordPress page loads, the actual content is obscured behind the is.gd shortener, which obtains content from the fake Google domain: fonts[.]googlesapi[.]com --------------------------------------------- https://blog.sucuri.net/2019/12/another-fake-google-domain-fonts-googlesapi-com.html ∗∗∗ Ursnif infection with Dridex ∗∗∗ --------------------------------------------- Todays diary reviews an Ursnif infection from this campaign that I generated in my lab environment on Monday, December 2nd. --------------------------------------------- https://isc.sans.edu/diary/rss/25566 ∗∗∗ Anruf von Microsoft? – Legen Sie sofort auf! ∗∗∗ --------------------------------------------- Kriminelle geben sich als Microsoft-MitarbeiterInnen aus und erklären besorgten NutzerInnen, ihr Computer sei von einem Trojaner befallen. Mit diesem Vorwand versuchen Kriminelle sich Zugriff auf den Computer zu verschaffen und anschließend sensible Zugangsdaten zu stehlen oder wertvolle Daten zu löschen. Es handelt sich um eine Betrugsmasche, Microsoft würde niemals persönlich anrufen! --------------------------------------------- https://www.watchlist-internet.at/news/anruf-von-microsoft-legen-sie-sofort-auf/ ∗∗∗ A decade of malware: Top botnets of the 2010s ∗∗∗ --------------------------------------------- ZDNet goes over the list of biggest malware botnets of the past decade, from Necurs to Mirai. --------------------------------------------- https://www.zdnet.com/article/a-decade-of-malware-top-botnets-of-the-2010s/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple MOTEX products vulnerable to privilege escalation ∗∗∗ --------------------------------------------- LanScope Cat and LanScope An provided by MOTEX Inc. contain a privilege escalation vulnerability. An user who can login to the PC where the vulnerable product is installed may obtain unauthorized privileges and execute arbitrary code. --------------------------------------------- https://jvn.jp/en/jp/JVN49068796/ ∗∗∗ Patchday: Google serviert Sicherheitspatches für Android und seine Pixel-Serie ∗∗∗ --------------------------------------------- Verschiedene Android-Versionen sind über kritische Sicherheitslücken attackierbar. Nun gibt es Sicherheitsupdates. --------------------------------------------- https://heise.de/-4602506 ∗∗∗ Multiple vulnerabilites in Fronius Solar Inverter Series (CVE-2019-19229, CVE-2019-19228) ∗∗∗ --------------------------------------------- The vendor automatically performed a fleet update of the solar inverters in the field in order to patch them. Nevertheless, as not all devices could be reached through such an update, all remaining users are advised to install the patches provided by the vendor immediately. (CVE-2019-19229, CVE-2019-19228) --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-vulnerabilites-in-fronius-solar-inverter-series-cve-2019-19229-cve-2019-19228/ ∗∗∗ Vulnerability Spotlight: Two vulnerabilities in EmbedThis GoAhead ∗∗∗ --------------------------------------------- EmbedThis’ GoAhead Web Server contains two vulnerabilities that both arise when the software attempts to process a multi-part/form-data HTTP request. An attacker could exploit these vulnerabilities to remotely execute code on the victim machine, or cause a denial-of-service condition. --------------------------------------------- https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-EmbedThis-GoAhead.html ∗∗∗ Vulnerability Spotlight: Accusoft ImageGear PNG IHDR width code execution vulnerability ∗∗∗ --------------------------------------------- Accusoft ImageGear contains two remote code execution vulnerabilities. ImageGear is a document and imaging library from Accusoft that developers can use to build their applications. The library contains the entire document imaging lifecycle. This vulnerability is present in the Accusoft ImageGear library, which is a document-imaging developer toolkit. --------------------------------------------- https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-accusoft-PNG-dec-19.html ∗∗∗ Vulnerability Spotlight: SQL injection vulnerabilities in Forma Learning Management System ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three SQL injection vulnerabilities in the authenticated portion of the Formal Learning Management System. LMS is a set of software that allows companies to build and host different training courses for their employees. The software operates with an open-source licensing model and now operates under the Forma organization. --------------------------------------------- https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-sql-injection-dec-19.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (intel-ucode and libtiff), Debian (exiv2), Oracle (SDL), Red Hat (kernel, patch, and python-jinja2), and Ubuntu (graphicsmagick, linux, linux-aws, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-hwe, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp...) --------------------------------------------- https://lwn.net/Articles/806202/ ∗∗∗ Kaspersky Internet Security: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Kaspersky Internet Security und Kaspersky Total Security ausnutzen, um beliebigen Programmcode mit den Rechten des Dienstes auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1035 ∗∗∗ Trend Micro Internet Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Trend Micro Internet Security und Trend Micro AntiVirus ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1034 ∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to Intel Microarchitectural Data Sampling (MDS) Vulnerabilites ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-vulnerable-to-intel-microarchitectural-data-sampling-mds-vulnerabilites/ ∗∗∗ Security Bulletin: Vulnerability in Google Guava affects IBM Cloud Pak System (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-google-guava-affects-ibm-cloud-pak-system-cve-2018-10237/ ∗∗∗ Security Bulletin: Vulnerability from Apache HttpComponents affects IBM Cloud Pak System (CVE-2011-1498, CVE-2015-5262) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache-httpcomponents-affects-ibm-cloud-pak-system-cve-2011-1498-cve-2015-5262/ ∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities in Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scripting-vulnerabilities-in-cloud-pak-system/ ∗∗∗ Security Bulletin: Cross-site scripting vulnerability in IBM Cloud Pak System (CVE-2019-4098) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vulnerability-in-ibm-cloud-pak-system-cve-2019-4098/ ∗∗∗ BIND vulnerability CVE-2019-6477 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15840535?utm_source=f5support&utm_medium=RSS -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Wed Dec 4 18:09:15 2019 From: team at cert.at (Daily end-of-shift report) Date: Wed, 4 Dec 2019 18:09:15 +0100 Subject: [CERT-daily] Tageszusammenfassung - 04.12.2019 Message-ID: <15754793550.D8A9c.22582@taranis> ===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-12-2019 18:00 − Mittwoch 04-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RSA-240: Faktorisierungserfolg gefährdet RSA nicht ∗∗∗ --------------------------------------------- Forscher haben auf einem Rechencluster eine 795 Bit große Zahl faktorisiert. Das RSA-Verschlüsselungs- und Signaturverfahren basiert darauf, dass Faktorisierung schwierig ist. Für die praktische Sicherheit von RSA mit modernen Schlüssellängen hat dieser Durchbruch heute aber wenig Bedeutung. --------------------------------------------- https://www.golem.de/news/rsa-240-faktorisierungserfolg-gefaehrdet-rsa-nicht-1912-145359-rss.html ∗∗∗ APT review: what the world’s threat actors got up to in 2019 ∗∗∗ --------------------------------------------- What were the most interesting developments in terms of APT activity during the year and what can we learn from them? --------------------------------------------- https://securelist.com/ksb-2019-review-of-the-year/95394/ ∗∗∗ SEC Xtractor: Extrahieren von Daten aus elektronischen Geräten ∗∗∗ --------------------------------------------- Das SEC Consult Hardware Lab hat ein spezielles Hardware-Analyse-Tool entwickelt, mit dem Security Consultants auf einfache Weise Firmware aus Speicherchips auslesen können. Der sogenannte „SEC Xtractor“ wurde nun als Open-Source-Version veröffentlicht. --------------------------------------------- https://www.sec-consult.com/blog/2019/12/sec-xtractor-extrahieren-von-daten-aus-elektronischen-geraeten/ ∗∗∗ Introducing Password Cracking Manager: CrackQ ∗∗∗ --------------------------------------------- Today we are releasing CrackQ, a queuing system to manage password cracking that Ive been working on for about a year. It is primarily for offensive security teams during red teaming and pentesting engagements. Its an intuitive interface for Hashcat served by a REST API and a JavaScript front-end web application for ease of use. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/introducing-password-cracking-manager-crackq/ ∗∗∗ How to Respond to Emotet Infection (FAQ) ∗∗∗ --------------------------------------------- The purpose of this entry is to provide instructions on how to check if you are infected with Emotet and what you can do in case of infection (based on the information available as of December 2019). --------------------------------------------- https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html ∗∗∗ Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774) ∗∗∗ --------------------------------------------- As established, the patches for CVE-2017-11774 can be effectively “disabled” by modifying registry keys on an endpoint with no special privileges. The following registry keys and values should be configured via Group Policy to reinforce the recommended configurations in the event that an attacker attempts to reverse the intended security configuration on an endpoint to allow for Outlook home page persistence for malicious purposes. --------------------------------------------- https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html ∗∗∗ Microsoft Guidance for cleaning up orphaned keys generated on vulnerable TPMs and used for Windows Hello for Business ∗∗∗ --------------------------------------------- ... WHfB keys are tied to a user and a device that has been added to Azure AD, and if the device is removed, the corresponding WHfB key is considered orphaned. However, these orphaned keys are not deleted even when the device it was created on is no longer present. Any authentication to Azure AD using such an orphaned WHfB key will be rejected. However, some of these orphaned keys could lead to the following security issue in Active Directory 2016 or 2019, in either hybrid or on-premises --------------------------------------------- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190026 ∗∗∗ Betrug mit begehrten Champions League Tickets auf Facebook ∗∗∗ --------------------------------------------- Die Lieblings-Band einmal live zu erleben oder den favorisierten Fußballklub in der UEFA Champions League live im Stadion anzufeuern, ist ein einmaliges Erlebnis. In Facebook-Gruppen ausverkaufter Events versuchen verzweifelte Fans, die letzten Tickets zu ergattern. In Privatnachrichten werden ihnen diese Karten auf Facebook gegen Überweisung oder PayPal-Zahlung versprochen. Vorsicht: Dahinter können Kriminelle stecken! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-begehrten-champions-league-tickets-auf-facebook/ ∗∗∗ Two malicious Python libraries removed from PyPI ∗∗∗ --------------------------------------------- One library was available for only two days, but the second was live for nearly a year. --------------------------------------------- https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/ ===================== = Vulnerabilities = ===================== ∗∗∗ Reliable Controls LicenseManager ∗∗∗ --------------------------------------------- This advisory contains mitigations for an unquoted search path or element vulnerability in the Reliable Controls LicenseManager. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-337-01 ∗∗∗ Moxa AWK-3121 ∗∗∗ --------------------------------------------- This advisory contains mitigations for multiple vulnerabilities in Moxa’s AWK-3121 wireless access point/bridge/client. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-337-02 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, ghostscript, kernel, and tcpdump), Debian (libonig), Fedora (clamav, firefox, and oniguruma), openSUSE (calamares, cloud-init, haproxy, libarchive, libidn2, libxml2, and ucode-intel), Scientific Linux (SDL and tcpdump), Slackware (mozilla), and Ubuntu (haproxy, intel-microcode, and postgresql-common). --------------------------------------------- https://lwn.net/Articles/806296/ ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-01-smartphone-en ∗∗∗ Security Advisory - Remote Code Execution Vulnerability in Fastjson ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-01-fastjson-en ∗∗∗ Security Advisory - Out-of-bounds Read Vulnerability in Advanced Packages of Gauss100 OLTP Database ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-01-gauss100-en ∗∗∗ Security Advisory - Denial of Service Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-03-dos-en ∗∗∗ Security Advisory - Weak Algorithm Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-01-vrp-en ∗∗∗ Security Advisory - DoS Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-02-dos-en ∗∗∗ Security Advisory - Insufficient Verification of Data Authenticity Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-01-validation-en ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-04-dos-en ∗∗∗ Security Advisory - Path Traversal Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-03-smartphone-en ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191204-02-smartphone-en ∗∗∗ Security Bulletin: : Netcool Operations Insight – Cloud Native Event Analytics is affected by a FasterXML jackson-databind vulnerability (CVE-2019-12814) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insight-cloud-native-event-analytics-is-affected-by-a-fasterxml-jackson-databind-vulnerability-cve-2019-12814/ ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Cloud Pak System (CVE-2019-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-cloud-pak-system-cve-2019-1552/ ∗∗∗ Security Bulletin: Security Vulnerabilities have been identified in IBM Java Runtime as shipped with Tivoli Federated Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-have-been-identified-in-ibm-java-runtime-as-shipped-with-tivoli-federated-identity-manager/ ∗∗∗ Security Bulletin: A security vulnerability has been identified in Red Hat® Enterprise Linux (RHEL) Server shipped with PurePower Integrated Manager (PPIM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-red-hat-enterprise-linux-rhel-server-shipped-with-purepower-integrated-manager-ppim-2/ ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by an Apache Kafka vulnerability (CVE-2018-17196) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insight-cloud-native-event-analytics-is-affected-by-an-apache-kafka-vulnerability-cve-2018-17196/ ∗∗∗ Security Bulletin: A security vulnerability has been identified in Red Hat® Enterprise Linux (RHEL) Server shipped with PurePower Integrated Manager (PPIM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-red-hat-enterprise-linux-rhel-server-shipped-with-purepower-integrated-manager-ppim/ ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by an Apache Zookeeper vulnerability (CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insight-cloud-native-event-analytics-is-affected-by-an-apache-zookeeper-vulnerability-cve-2019-0201/ ∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2019-2602) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-java-sdk-affects-ibm-san-volume-controller-ibm-storwize-ibm-spectrum-virtualize-and-ibm-flashsystem-products-cve-2019-2602/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Thu Dec 5 18:12:42 2019 From: team at cert.at (Daily end-of-shift report) Date: Thu, 5 Dec 2019 18:12:42 +0100 Subject: [CERT-daily] Tageszusammenfassung - 05.12.2019 Message-ID: <15755659620.3257ab06.11824@taranis> ===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-12-2019 18:00 − Donnerstag 05-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Security prenotification for Adobe Acrobat and Reader | APSB19-55 ∗∗∗ --------------------------------------------- Adobe is planning to release security updates for Adobe Acrobat and Reader for Windows and macOS on Tuesday, December 10, 2019. --------------------------------------------- https://helpx.adobe.com/security/products/acrobat/apsb19-55.html ∗∗∗ Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter ∗∗∗ --------------------------------------------- Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/ ∗∗∗ NTLMRecon ∗∗∗ --------------------------------------------- A fast NTLM reconnaissance tool without external dependencies. Useful to find out information about NTLM endpoints when working with a large set of potential IP addresses and domains. --------------------------------------------- https://github.com/sachinkamath/ntlmrecon ∗∗∗ xHunt Actor’s Cheat Sheet ∗∗∗ --------------------------------------------- Unit 42 found evidence that the developers who created the Sakabota tool had carried out two sets of testing activities on Sakabota in an attempt to evade detection. Within one sample created during this testing process, we uncovered a cheat sheet meant to assist operators of the tool to carry out activities on the compromised system and network, which weve never seen before. --------------------------------------------- https://unit42.paloaltonetworks.com/xhunt-actors-cheat-sheet/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentication vulnerabilities in OpenBSD ∗∗∗ --------------------------------------------- We discovered an authentication-bypass vulnerability in OpenBSDs authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms. (CVE-2019-19521) --------------------------------------------- https://www.openwall.com/lists/oss-security/2019/12/04/5 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox), Fedora (cyrus-imapd, freeipa, haproxy, ImageMagick, python-pillow, rubygem-rmagick, sqlite, squid, and tnef), openSUSE (haproxy), Oracle (microcode_ctl), and Ubuntu (squid, squid3). --------------------------------------------- https://lwn.net/Articles/806384/ ∗∗∗ Weidmueller multiple vulnerabilities in various Industrial Ethernet managed switches ∗∗∗ --------------------------------------------- CVE-2019-16670: The Authentication mechanism has no brute-force prevention. CVE-2019-16671: Remote authenticated users can crash a device with a special packet because of Uncontrolled Resource Consumption. CVE-2019-16672: Sensitive Credentials data is transmitted in cleartext. ... CVSS-Scores: bis 9.8 --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-018 ∗∗∗ Mozilla Thunderbird: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Mozilla Thunderbird ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen, vertrauliche Daten einzusehen oder einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1040 ∗∗∗ Wireshark: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Wireshark ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1039 ∗∗∗ Security Bulletin: IBM ToolsCenter Dynamic System Analysis (DSA) Preboot is affected by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-toolscenter-dynamic-system-analysis-dsa-preboot-is-affected-by-multiple-vulnerabilities/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-ibm-tivoli-business-service-manager/ ∗∗∗ Intel MCE vulnerability CVE-2018-12207 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17269881 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Fri Dec 6 18:06:51 2019 From: team at cert.at (Daily end-of-shift report) Date: Fri, 6 Dec 2019 18:06:51 +0100 Subject: [CERT-daily] Tageszusammenfassung - 06.12.2019 Message-ID: <15756520110.4A8eC3A.1224@taranis> ===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-12-2019 18:00 − Freitag 06-12-2019 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ 8 common pen testing mistakes and how to avoid them ∗∗∗ --------------------------------------------- One of the most effective ways to uncover flaws and weaknesses in your security posture is to have a third party carry out planned attacks on your system. Penetration testing is all about exposing gaps in your defenses so that they can be plugged before someone with malicious intent can take advantage. There are several different types of pen test designed to target different aspects of your organization. --------------------------------------------- https://www.csoonline.com/article/3487557/8-common-pen-testing-mistakes-and-how-to-avoid-them.html ∗∗∗ Lazarus Group Goes Fileless ∗∗∗ --------------------------------------------- The rather infamous APT group, "Lazarus", continues to evolve their macOS capabilities. Today, we tear apart their latest 1st-stage implant that supports remote download & in-memory execution of secondary payloads! --------------------------------------------- https://objective-see.com/blog/blog_0x51.html ∗∗∗ Phishing with a self-contained credentials-stealing webpage ∗∗∗ --------------------------------------------- Phishing e-mails which are used to steal credentials usually depend on user clicking a link which leads to a phishing website that looks like login page for some valid service. Not all credentials-stealing has to be done using a remote website, however. I recently came across an interesting phishing campaign in which the scammers used a rather novel technique. --------------------------------------------- https://isc.sans.edu/diary/rss/25580 ∗∗∗ If theres somethin stored in a secure enclave, who ya gonna call? Membuster! ∗∗∗ --------------------------------------------- Computer scientists from UC Berkeley, Texas A&M, and semiconductor biz SK Hynix have found a way to defeat secure enclave protections by observing memory requests from a CPU to off-chip DRAM through the memory bus. --------------------------------------------- https://www.theregister.co.uk/2019/12/05/membuster_secure_enclave/ ∗∗∗ Nur noch wenige Wochen: Planänderungen beim Support-Ende bei Windows 7 ∗∗∗ --------------------------------------------- Drei Wochen nach Weihnachten will Microsoft zum letzten Mal kostenlose Sicherheits-Updates für Windows 7 spendieren. Bald wird es also Zeit für den Umstieg.. --------------------------------------------- https://heise.de/-4602768 ===================== = Vulnerabilities = ===================== ∗∗∗ Unix-artige Systeme: Sicherheitslücke ermöglicht Übernahme von VPN-Verbindung ∗∗∗ --------------------------------------------- Durch eine gezielte Analyse und Manipulation von TCP-Paketen könnten Angreifer eigene Daten in VPN-Verbindungen einschleusen und diese so übernehmen. Betroffen sind fast alle Unix-artigen Systeme sowie auch VPN-Protokolle. Ein Angriff ist in der Praxis wohl aber eher schwierig. (Security, Server) --------------------------------------------- https://www.golem.de/news/unix-artige-systeme-sicherheitsluecke-ermoeglicht-uebernahme-von-vpn-verbindung-1912-145403-rss.html ∗∗∗ VMware ESXi and Horizon DaaS updates address OpenSLP remote code execution vulnerability (CVE-2019-5544) ∗∗∗ --------------------------------------------- OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0022.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libav), Fedora (kernel, libuv, and nodejs), Oracle (firefox), Red Hat (firefox and java-1.7.1-ibm), SUSE (clamav, cloud-init, dnsmasq, dpdk, ffmpeg, munge, opencv, and permissions), and Ubuntu (librabbitmq). --------------------------------------------- https://lwn.net/Articles/806543/ ∗∗∗ Thales DIS SafeNet Sentinel LDK License Manager Runtime ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-339-01 ∗∗∗ Security Bulletin: Netcool Operations Insight – Cloud Native Event Analytics is affected by a FasterXML jackson-databind vulnerability (CVE-2019-14439) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insight-cloud-native-event-analytics-is-affected-by-a-fasterxml-jackson-databind-vulnerability-cve-2019-14439/ ∗∗∗ Security Bulletin: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-2/ ∗∗∗ Security Bulletin: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin/ ∗∗∗ Security Bulletin: IBM DataPower Gateway enables default IPMI account ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-enables-default-ipmi-account/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Mon Dec 9 18:24:28 2019 From: team at cert.at (Daily end-of-shift report) Date: Mon, 9 Dec 2019 18:24:28 +0100 Subject: [CERT-daily] Tageszusammenfassung - 09.12.2019 Message-ID: <15759122680.8F6EF.858@taranis> ===================== = End-of-Day report = ===================== Timeframe: Freitag 06-12-2019 18:00 − Montag 09-12-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SCshell: Fileless Lateral Movement Using Service Manager ∗∗∗ --------------------------------------------- During red team engagements, lateral movement in a network is crucial. In addition, as a critical part of exploit chains, security solutions put a lot of effort to detect this movement. Techniques such as remote WMI and PsExec are fairly well detected. In the case of WMI, WmiPrvSe.exe will be the parent process responsible for spawning the process, making the detection a bit easier. PsExec on its end will push a file on the remote system and register a new service. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scshell-fileless-lateral-movement-using-service-manager/ ∗∗∗ We thought they were potatoes but they were beans (from Service Account to SYSTEM again) ∗∗∗ --------------------------------------------- Nevertheless, we decided to do some further research in order to understand if any bypass of the new OXID resolver restrictions, which in fact inhibits resolver requests over a port different to 135, is still possible. --------------------------------------------- https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/ ∗∗∗ Detecting unsafe path access patterns with PathAuditor ∗∗∗ --------------------------------------------- Posted by Marta Rożek, Google Summer Intern 2019, and Stephen Röttger, Software Engineer #!/bin/shcat /home/user/fooWhat can go wrong if this command runs as root? Does it change anything if foo is a symbolic link to /etc/shadow? How is the output going to be used? Depending on the answers to the questions above, accessing files this way could be a vulnerability. The vulnerability exists in syscalls that operate on file paths, such as open, rename, chmod, or exec. --------------------------------------------- https://security.googleblog.com/2019/12/detecting-unsafe-path-access-patterns.html ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA Patches Severe Flaws in Mercedes Infotainment System Chips ∗∗∗ --------------------------------------------- NVIDIA released security updates for six high severity vulnerabilities found in the Tegra Linux Driver Package (L4T) for Jetson AGX Xavier, TK1, TX1, TX2, and Nano chips used in Mercedes-Benzs MBUX infotainment system and Bosch self-driving computer systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nvidia-patches-severe-flaws-in-mercedes-infotainment-system-chips/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (SDL), Debian (htmldoc, librabbitmq, nss, openjdk-7, openslp-dfsg, and phpmyadmin), Fedora (chromium, community-mysql, kernel, libidn2, oniguruma, proftpd, and rabbitmq-server), Mageia (ansible, clamav, evince, firefox, graphicsmagick, icu, libcryptopp, libtasn1, libtiff, libvncserver, libvpx, lz4, nss, openexr, openjpeg2, openssl, phpmyadmin, python-psutil, python-twisted, QT, sdl2_image, SDL_image, sysstat, thunderbird, and tnef), Oracle (firefox), [...] --------------------------------------------- https://lwn.net/Articles/806832/ ∗∗∗ OpenSSL: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1045 ∗∗∗ [dos] Omron PLC 1.0.0 - Denial of Service (PoC) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47757 ∗∗∗ [webapps] Alcatel-Lucent Omnivista 8770 - Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47761 ∗∗∗ [webapps] Yachtcontrol Webapplication 1.0 - Unauthenticated Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47760 ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-5/ ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-4/ ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-3/ ∗∗∗ Security Bulletin: IBM Planning Analytics Local is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-local-is-affected-by-security-vulnerabilities/ ∗∗∗ Security Bulletin: Vulnerability affects IBM Watson Assistant for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affects-ibm-watson-assistant-for-ibm-cloud-pak-for-data/ ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind-2/ ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-ibm-cloud-pak-for-data-affected-by-vulnerability-in-fasterxml-jackson-databind/ ∗∗∗ Security Bulletin: IBM Transparent Could Tiering is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-could-tiering-is-affected-by-a-vulnerability-in-apache-commons-compress-cve-2019-12402/ ∗∗∗ Security Bulletin: IBM Transparent Cloud Tiering is affected by Netty vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transparent-cloud-tiering-is-affected-by-netty-vulnerability/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Transparent Cloud Tiering ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-node-js-affect-ibm-transparent-cloud-tiering/ ∗∗∗ Security Bulletin: IBM Spectrum Scale Transparent Cloud Tiering is affected by multiple vulnerabilities in IBM® Runtime Environment Java™ Version 8 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-scale-transparent-cloud-tiering-is-affected-by-multiple-vulnerabilities-in-ibm-runtime-environment-java-version-8/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Tue Dec 10 19:11:47 2019 From: team at cert.at (Daily end-of-shift report) Date: Tue, 10 Dec 2019 19:11:47 +0100 Subject: [CERT-daily] Tageszusammenfassung - 10.12.2019 Message-ID: <15760015070.65af8.10034@taranis> ===================== = End-of-Day report = ===================== Timeframe: Montag 09-12-2019 18:00 − Dienstag 10-12-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Snatch Ransomware Reboots to Windows Safe Mode to Bypass AV Tools ∗∗∗ --------------------------------------------- Researchers discovered a new Snatch ransomware strain that will reboot computers it infects into Safe Mode to disable any resident security solutions and immediately starts encrypting files once the system loads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/ ∗∗∗ Dont pay off Ryuk ransomware, warn infoseccers: Its creators borked the decryptor ∗∗∗ --------------------------------------------- Oracle DBs particularly vulnerable to fake decryptions, say researchers If youre an Oracle database user and are tempted to pay off a Ryuk ransomware infection to get your files back, for pitys sake, dont. The criminals behind it have broken their own decryptor, meaning nobody will be able to unlock files scrambled by the malicious software. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/10/ryuk_decryptor_broken_latest_strain/ ∗∗∗ Was Sie beim Onlineshoppen beachten müssen ∗∗∗ --------------------------------------------- Nicht mehr lang, dann ist wieder Weihnachten. Für die einen die besinnlichste Zeit im Jahr, für die anderen der pure Stress - vor allem wenn viele Geschenke besorgt werden müssen. Onlineshoppen ist da eine bequeme Lösung. Doch Onlineshoppen birgt auch einige Gefahren. --------------------------------------------- https://www.watchlist-internet.at/news/was-sie-beim-onlineshoppen-beachten-muessen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB19-55), Adobe Photoshop (APSB19-56), Brackets (APSB19-57) and Adobe ColdFusion (APSB19-58). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided "AS IS" with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1813 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jruby, and squid3), Fedora (librabbitmq, libuv, and xpdf), openSUSE (calamares and opera), Oracle (kernel and nss), Red Hat (httpd24-httpd, kernel, kernel-alt, kpatch-patch, nss-softokn, sudo, and thunderbird), SUSE (apache2-mod_perl, java-1_8_0-openjdk, and postgresql), and Ubuntu (eglibc, firefox, and samba). --------------------------------------------- https://lwn.net/Articles/806957/ ∗∗∗ SAP Security Patch Day – December 2019 ∗∗∗ --------------------------------------------- Page edited by Aditi Kulkarni This post by SAP Product Security Response Team shares information on Patch Day Security Notes that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.On 10th of December 2019, SAP Security Patch Day saw the release of 5 Security Notes. There are 2 updates to previously released Patch [...] --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=533660397 ∗∗∗ Security Bulletin: Multiple Vulnerabilities in MongoDB affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-mongodb-affects-ibm-watson-studio-local/ ∗∗∗ Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2019-4663) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-server-liberty-is-vulnerable-to-cross-site-scripting-cve-2019-4663/ ∗∗∗ Security Bulletin: Vulnerabilities addressed in IBM Cloud Pak System (CVE-2019-4521, CVE-2019-4095) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-addressed-in-ibm-cloud-pak-system-cve-2019-4521-cve-2019-4095/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in HAProxy affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-haproxy-affects-ibm-watson-studio-local/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server October 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-websphere-application-server-october-2019-cpu/ ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-affect-ibm-websphere-application-server-in-ibm-cloud/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in python affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-python-affects-ibm-watson-studio-local/ ∗∗∗ Security Bulletin: IBM Integration Bus Hyper visor Edition V9.0 require customer action for security vulnerabilities in Red Hat Linux ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-hyper-visor-edition-v9-0-require-customer-action-for-security-vulnerabilities-in-red-hat-linux/ ∗∗∗ IBM Security Bulletin: PowerVC is impacted by an OpenStack Neutron vulnerability related to security group rules (CVE-2019-10876) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-powervc-is-impacted-by-an-openstack-neutron-vulnerability-related-to-security-group-rules-cve-2019-10876/ ∗∗∗ IBM Security Bulletin: PowerVC is impacted by an OpenStack Neutron denial of service vulnerability (CVE-2018-14635) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-powervc-is-impacted-by-an-openstack-neutron-denial-of-service-vulnerability-cve-2018-14635/ ∗∗∗ SSA-451445 (Last Update: 2019-12-10): Multiple Vulnerabilities in SPPA-T3000 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf ∗∗∗ SSA-273799 (Last Update: 2019-12-10): Vulnerability in SIMATIC products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-273799.pdf ∗∗∗ SSA-525454 (Last Update: 2019-12-10): Vulnerabilities in XHQ Operations Intelligence ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-525454.pdf ∗∗∗ SSA-418979 (Last Update: 2019-12-10): Vulnerabilities in EN100 Ethernet Communication Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-418979.pdf ∗∗∗ SSA-761617 (Last Update: 2019-12-10): Multiple Vulnerabilities in SiNVR Video Management Solution ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-761617.pdf ∗∗∗ SSA-344983 (Last Update: 2019-12-10): Vulnerability in WPA2 Key Handling affecting SCALANCE W700 and SCALANCE W1700 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-344983.pdf ∗∗∗ SSA-618620 (Last Update: 2019-12-10): Vulnerabilities in Boot Loader (U-Boot) of RUGGEDCOM ROS Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-618620.pdf ∗∗∗ Samba: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1048 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Wed Dec 11 18:41:02 2019 From: team at cert.at (Daily end-of-shift report) Date: Wed, 11 Dec 2019 18:41:02 +0100 Subject: [CERT-daily] Tageszusammenfassung - 11.12.2019 Message-ID: <15760860620.E0D32B.12619@taranis> ===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-12-2019 18:00 − Mittwoch 11-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zeppelin Ransomware Targets Healthcare and IT Companies ∗∗∗ --------------------------------------------- A new variant of the VegaLocker/Buran Ransomware called Zeppelin has been spotted infecting U.S. and European companies via targeted installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zeppelin-ransomware-targets-healthcare-and-it-companies/ ∗∗∗ Bad news: KeyWe Smart Lock is easily bypassed and cant be fixed ∗∗∗ --------------------------------------------- Good news? There is no good news File this one under "not everything needs a computer in it". Finnish security house F-Secure today revealed a vulnerability in the KeyWe Smart Lock that could let a sticky-fingered miscreant easily bypass it. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/11/f_secure_keywe/ ∗∗∗ Intel flickt "Plundervolt" und zahlreiche weitere Sicherheitslücken ∗∗∗ --------------------------------------------- Durch bösartiges Prozessor-"Undervolting" lassen sich SGX-verschlüsselten RAM-Enklaven Geheimnisse entlocken; Intel patcht auch 10 weitere Sicherheitslücken. --------------------------------------------- https://heise.de/-4611068 ∗∗∗ Gratis Online-Dating oder teure Abo-Falle? ∗∗∗ --------------------------------------------- Immer wieder erreichen uns Beschwerden verärgerter Singles, die auf heissetreffen.at auf der Suche nach Liebe oder Spaß waren. Die erste Anmeldung ist völlig kostenlos. Wer hier aber Profilbilder sehen möchte, soll das Alter über Eingabe der Kreditkartendaten bestätigen. Achtung: Dadurch rutscht man in eine teure Abo-Falle! Für Zahlungen besteht kein Grund. --------------------------------------------- https://www.watchlist-internet.at/news/gratis-online-dating-oder-teure-abo-falle/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Multiple Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/10/apple-releases-multiple-security-updates ∗∗∗ Microsoft Releases December 2019 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/10/microsoft-releases-december-2019-security-updates ∗∗∗ Intel Releases Security Updates ∗∗∗ --------------------------------------------- Intel has released security updates to address vulnerabilities in multiple products. An authenticated attacker with local access could exploit some of these vulnerabilities to gain escalation of privileges. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/10/intel-releases-security-updates ∗∗∗ Xen Security Advisory CVE-2019-19581,CVE-2019-19582 / XSA-307 - find_next_bit() issues ∗∗∗ --------------------------------------------- In a number of places bitmaps are being used by the hypervisor to track certain state. Iteration over all bits involves functions which may misbehave in certain corner cases: [...] --------------------------------------------- https://xenbits.xen.org/xsa/advisory-307.html ∗∗∗ Xen Security Advisory CVE-2019-19583 / XSA-308 - VMX: VMentry failure with debug exceptions and blocked states ∗∗∗ --------------------------------------------- The VMX VMEntry checks does not like the exact combination of state which occurs when #DB in intercepted, Single Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in. The resulting VMEntry failure is fatal to the guest. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-308.html ∗∗∗ Xen Security Advisory CVE-2019-19578 / XSA-309 - Linear pagetable use / entry miscounts ∗∗∗ --------------------------------------------- [...] If an attacker could engineer such a situation to occur, they might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-309.html ∗∗∗ Xen Security Advisory CVE-2019-19580 / XSA-310 - Further issues with restartable PV type change operations ∗∗∗ --------------------------------------------- XSA-299 addressed several critical issues in restartable PV type change operations. Despite extensive testing and auditing, some corner cases were missed. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-310.html ∗∗∗ Xen Security Advisory CVE-2019-19577 / XSA-311 - Bugs in dynamic height handling for AMD IOMMU pagetables ∗∗∗ --------------------------------------------- A malicious guest administrator can cause Xen to access data structures while they are being modified, causing Xen to crash. Privilege escalation is thought to be very difficult but cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-311.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (crypto++ and thunderbird), Debian (cacti, freeimage, git, and jackson-databind), Fedora (nss), openSUSE (clamav, dnsmasq, munge, opencv, permissions, and shadowsocks-libev), Red Hat (nss, nss-softokn, nss-util, rh-maven35-jackson-databind, and thunderbird), Scientific Linux (nss, nss-softokn, nss-util, nss-softokn, and thunderbird), SUSE (caasp-openstack-heat-templates, crowbar-core, crowbar-openstack, crowbar-ui, etcd, flannel, galera-3, [...] --------------------------------------------- https://lwn.net/Articles/807073/ ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- CTX266932 NewApplicable Products : Citrix Hypervisor 8.0, XenServer 7.0, XenServer 7.1 LTSR Cumulative Update 2, XenServer 7.6A number of vulnerabilities have been found in Citrix Hypervisor (formerly Citrix XenServer) that may:i. Allow the host to be compromised by privileged code in a PV guest VM,ii. allow unprivileged code in a HVM guest VM to cause that guest to [...] --------------------------------------------- https://support.citrix.com/article/CTX266932 ∗∗∗ Security Advisory - Denial of Service Vulnerability on Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190911-01-mobile-en ∗∗∗ Security Advisory - Information Leakage Vulnerability on Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191211-01-vrp-en ∗∗∗ Security Advisory - Information Disclosure Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191211-01-smartphone-en ∗∗∗ Security Advisory - Information Leak Vulnerability in Huawei CloudUSM-EUA Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191211-01-eua-en ∗∗∗ Security Advisory - Multiple Vulnerabilities in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191211-01-ssp-en ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which allows users to embed arbitrary JavaScript code in the Web UI (CVE-2019-4665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-spectrum-scale-which-allows-users-to-embed-arbitrary-javascript-code-in-the-web-ui-cve-2019-4665/ ∗∗∗ Security Bulletin: Security vulnerability in IBM WebSphere Application Server affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in-ibm-websphere-application-server-affects-ibm-voice-gateway/ ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis is affected by an Apache Zookeeper vulnerability (CVE-2019-4244) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-log-analysis-is-affected-by-an-apache-zookeeper-vulnerability-cve-2019-4244/ ∗∗∗ Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2018-1996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-ibm-app-connect-enterprise-are-affected-by-a-websphere-application-server-vulnerability-cve-2018-1996/ ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where remoted authenticated attacker can execute arbitrary command(CVE 2019-4715)) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-spectrum-scale-where-remoted-authenticated-attacker-can-execute-arbitrary-commandcve-2019-4715/ ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox have affected Synthetic Playback Agent 8.1.4.x ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozilla-firefox-have-affected-synthetic-playback-agent-8-1-4-x/ ∗∗∗ Security Bulletin: CVE-2019-10072 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-10072/ ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which allows users to embed arbitrary JavaScript code in the Web UI (CVE-2019-4665) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-identified-in-ibm-spectrum-scale-which-allows-users-to-embed-arbitrary-javascript-code-in-the-web-ui-cve-2019-4665/ ∗∗∗ File Extension Spoofing in Windows Defender Antivirus ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/file-extension-spoofing-in-windows-defender-antivirus/ ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1054 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Thu Dec 12 18:29:11 2019 From: team at cert.at (Daily end-of-shift report) Date: Thu, 12 Dec 2019 18:29:11 +0100 Subject: [CERT-daily] Tageszusammenfassung - 12.12.2019 Message-ID: <15761717510.3f4Bf02.17123@taranis> ===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-12-2019 18:00 − Donnerstag 12-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ (Almost) Hollow and Innocent: Monero Miner Remains Undetected via Process Hollowing ∗∗∗ --------------------------------------------- Cryptocurrencies values are increasing again, which may explain why the number of stealthy techniques to deliver them have also increased this year. We found another campaign using process hollowing and a dropper component to evade detection and analysis, and can potentially be used for other malware payloads. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/wSpVXlrw0Ok/ ∗∗∗ Code & Data Reuse in the Malware Ecosystem ∗∗∗ --------------------------------------------- In the past, I already had the opportunity to give some "security awareness" sessions to developers. One topic that was always debated is the reuse of existing code. Indeed, for a developer, its tempting to not reinvent the wheel when somebody already wrote a piece of code that achieves the expected results. From a gain of time perspective, its a win for the developers who can focus on other code. Of course, this can have side effects and introduce bugs, backdoors, etc... --------------------------------------------- https://isc.sans.edu/forums/diary/Code+Data+Reuse+in+the+Malware+Ecosystem/25598/ ∗∗∗ Winbox in the Wild ∗∗∗ --------------------------------------------- I’ve written, ad nauseam, about MikroTik routers. I’ve detailed vulnerabilities, post exploitation, and the protocol used by Winbox to communicate to the router on port 8291: [...] --------------------------------------------- https://medium.com/tenable-techblog/winbox-in-the-wild-9a2ee4946add?source=rss----68728ef06732---4 ∗∗∗ The little-known ways mobile device sensors can be exploited by cybercriminals ∗∗∗ --------------------------------------------- Mobile device sensors offer great utility to users—from taking pictures and commanding voice assistants to determining which direction to flip your screen. However, they harbor little-known vulnerabilities that could be exploited by crafty cybercriminals. --------------------------------------------- https://blog.malwarebytes.com/iot/2019/12/the-little-known-ways-mobile-device-sensors-can-be-exploited-by-cybercriminals/ ∗∗∗ Gefälschte Post-SMS zur Zahlung für wartende Pakete ∗∗∗ --------------------------------------------- Warten Sie gerade auf ein Paket? In der Weihnachtszeit ist das nicht unwahrscheinlich! Kriminelle nützen das und versenden gefälschte SMS mit dem Absendenamen „PST“ oder „POST“. Sie sollen eine Zahlung über 2,99 Euro bestätigen indem Sie einem Link folgen. Sie landen auf einer gefälschten Post-Website. Geben Sie Ihre Daten hier nicht ein – man versucht sie Ihnen zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-post-sms-zur-zahlung-fuer-wartende-pakete/ ∗∗∗ What I Learned from Reverse Engineering Windows Containers ∗∗∗ --------------------------------------------- Our researcher provides an overview on containers - starting with their Linux history - and shows the different implementations of containers in Windows, how they work, the security pitfalls that may occur, as well as the internal implementation of objects that are necessary for Containers in Windows. --------------------------------------------- https://unit42.paloaltonetworks.com/what-i-learned-from-reverse-engineering-windows-containers/ ∗∗∗ Microsoft details the most clever phishing techniques it saw in 2019 ∗∗∗ --------------------------------------------- This years most clever phishing tricks include hijacking Google search results and abusing 404 error pages. --------------------------------------------- https://www.zdnet.com/article/microsoft-details-the-most-clever-phishing-techniques-it-saw-in-2019/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and nss-softokn), Fedora (samba), Oracle (nss, nss-softokn, nss-util, nss-softokn, and thunderbird), Scientific Linux (thunderbird), SUSE (firefox), and Ubuntu (librabbitmq and samba). --------------------------------------------- https://lwn.net/Articles/807186/ ∗∗∗ Synology-SA-19:40 Samba AD DC ∗∗∗ --------------------------------------------- CVE-2019-14861 and CVE-2019-11479 allow remote authenticated users to conduct denial-of-service attacks or bypass security constraints via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_40 ∗∗∗ Webform - Critical - Multiple vulnerabilities - SA-CONTRIB-2019-096 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-096 ∗∗∗ Modal Page - Moderately critical - Access bypass - SA-CONTRIB-2019-094 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-094 ∗∗∗ Taxonomy access fix - Moderately critical - Access bypass - SA-CONTRIB-2019-093 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-093 ∗∗∗ Smart Trim - Moderately critical - Cross site scripting - SA-CONTRIB-2019-092 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-092 ∗∗∗ Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-095 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-095 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ BIG-IP TMM vulnerability CVE-2019-6671 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K39225055 ∗∗∗ TMOS vulnerability CVE-2019-6664 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03126093 ∗∗∗ HPESBHF03973 rev.1 - HPE Servers with certain Intel Processors, Local Disclosure of Information, Local Escalation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03973en_us ∗∗∗ Red Hat OpenShift Service Mesh: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1067 ∗∗∗ OpenBSD: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1070 ∗∗∗ Linux Kernel und hostapd: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1071 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Fri Dec 13 18:24:04 2019 From: team at cert.at (Daily end-of-shift report) Date: Fri, 13 Dec 2019 18:24:04 +0100 Subject: [CERT-daily] Tageszusammenfassung - 13.12.2019 Message-ID: <15762578440.0372.10300@taranis> ===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-12-2019 18:00 − Freitag 13-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Echobot Variant Exploits 77 Remote Code Execution Flaws ∗∗∗ --------------------------------------------- The Echobot botnet is still after the low hanging fruit as a new variant has been spotted with an increased number of exploits that target unpatched devices, IoT for the most part. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-echobot-variant-exploits-77-remote-code-execution-flaws/ ∗∗∗ All in the (Ransomware) Family: 10 Ways to Take Action ∗∗∗ --------------------------------------------- Check out our list of top 10 things to do to protect your organization from the deepening scourge of ransomware. --------------------------------------------- https://threatpost.com/ransomware-family-10-ways-take-action/151080/ ∗∗∗ Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities ∗∗∗ --------------------------------------------- Many of today’s threats evolve to incorporate as many living-off-the-land techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS. --------------------------------------------- https://www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-trojan-sload-abuses-bits-almost-exclusively-for-malicious-activities/ ∗∗∗ Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!, (Fri, Dec 13th) ∗∗∗ --------------------------------------------- Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use. And even though the numbers are much lower, some servers on the web support SSLv2 to this day as well. And, as it turns out, this is true even when it comes to web servers hosting internet banking portals --------------------------------------------- https://isc.sans.edu/diary/rss/25606 ∗∗∗ Unmasking Black Hat SEO for Dating Scams ∗∗∗ --------------------------------------------- Malware obfuscation comes in all shapes and sizes - and it’s sometimes hard to recognize the difference between malicious and legitimate code when you see it. Recently, we came across an interesting case where attackers went a few extra miles to make it more difficult to notice the site infection. --------------------------------------------- https://blog.sucuri.net/2019/12/unmasking-black-hat-seo-for-dating-scams.html ∗∗∗ Threat spotlight: The curious case of Ryuk ransomware ∗∗∗ --------------------------------------------- >From comic book death god to ransomware baddie, Ryuk ransomware remains a mainstay when organizations find themselves in a crippling malware pinch. We look at Ryuks origins, attack methods, and how to protect against this ever-present threat. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/ ∗∗∗ Targeted Attacks Deliver New "Anchor" Malware to High-Profile Companies ∗∗∗ --------------------------------------------- TrickBot/Anchor Campaign Could be a New Targeted Magecart Attack Against High-Profile Companies --------------------------------------------- https://www.securityweek.com/targeted-attacks-deliver-new-anchor-malware-high-profile-companies ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech DiagAnywhere Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in the Advantech DiagAnywhere Server. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-346-01 ∗∗∗ Omron PLC CJ and CS Series ∗∗∗ --------------------------------------------- This advisory includes information and mitigation recommendations for authentications vulnerabilities reported in the Omron PLC CJ and CS Series. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-346-02 ∗∗∗ Omron PLC CJ, CS and NJ Series ∗∗∗ --------------------------------------------- This advisory includes information and mitigation recommendations for an authentication related vulnerability in the Omron PLC CJ, CS, and NJ Series. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-346-03 ∗∗∗ WordPress 5.3.1 Security and Maintenance Release ∗∗∗ --------------------------------------------- This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes - see the list below. --------------------------------------------- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (knot-resolver and xen), openSUSE (kernel), and SUSE (haproxy, kernel, and openssl). --------------------------------------------- https://lwn.net/Articles/807261/ ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-affect-ibm-tivoli-monitoring-embedded-websphere-application-and-ihs-server/ ∗∗∗ Security Bulletin: A cross site scripting security vulnerability has been identified with Case Builder component in IBM Case Manager (CVE-2019-4426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-security-vulnerability-has-been-identified-with-case-builder-component-in-ibm-case-manager-cve-2019-4426/ ∗∗∗ Security Bulletin: A cross site scripting security vulnerability has been identified with Case Builder component shipped with IBM Business Automation Workflow (CVE-2019-4426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-security-vulnerability-has-been-identified-with-case-builder-component-shipped-with-ibm-business-automation-workflow-cve-2019-4426/ ∗∗∗ HPESBHF03974 rev.1 - HPE Servers using certain Intel Processors, Local Denial of Service, Disclosure of Information, Escalation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03974en_us ∗∗∗ Dovecot: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1076 ∗∗∗ Trend Micro AntiVirus: Schwachstelle ermöglicht Denial of Service oder Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1077 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Mon Dec 16 18:24:34 2019 From: team at cert.at (Daily end-of-shift report) Date: Mon, 16 Dec 2019 18:24:34 +0100 Subject: [CERT-daily] Tageszusammenfassung - 16.12.2019 Message-ID: <15765170740.cAEf1C5.18934@taranis> ===================== = End-of-Day report = ===================== Timeframe: Freitag 13-12-2019 18:00 − Montag 16-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PCI Point-to-Point Encryption Standard 3.0 released ∗∗∗ --------------------------------------------- The PCI Security Standards Council (PCI SSC) has updated the PCI Point-to-Point Encryption Standard (P2PE) and supporting program. PCI P2PE Version 3.0 simplifies the process for component and solution providers to validate their P2PE products for cardholder data protection efforts. --------------------------------------------- https://www.helpnetsecurity.com/2019/12/16/pci-point-to-point-encryption-standard/ ===================== = Vulnerabilities = ===================== ∗∗∗ Javascript: Node-Pakete können Binärdateien unterjubeln ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in den Paketmanangern für Node.js, NPM und Yarn, ermöglicht das Unterschieben und Manipulieren von Binärdateien auf dem Client-System. Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/javascript-node-pakete-koennen-binaerdateien-unterjubeln-1912-145557-rss.html ∗∗∗ 2019-11-12: Cybersecurity Advisory - Automation Builder 2.2 (and earlier), Drive Application Builder 1.0 ∗∗∗ --------------------------------------------- ABB is aware of public reports of a vulnerability in the product versions listed above. This issue will be fixed by · Version 2.3.0 of Automation Builder. The release of this version is expected for end of Q1 2020 · Version 1.1.0 of Drive Application Builder. The release of this version is expected for end of 2019 An attacker who successfully exploited this vulnerability could insert and run arbitrary JavaScript and/or ActiveX code. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR010465&LanguageCode=en&DocumentPartId=&Action=Launch ∗∗∗ Multiple Vulnerabilities in ABB PB610 PanelBuilder 600 ∗∗∗ --------------------------------------------- ABB is aware of a private report of four vulnerabilities in PB610 Panel Builder 600, versions 2.8.0.424 and earlier, affecting the HMIStudio and HMISimulator components. The vulnerabilities are corrected in version 2.8.0.460. --------------------------------------------- http://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/1520A33C30E2562EC12584D20058CC59?OpenDocument ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200 ∗∗∗ --------------------------------------------- The WAGO PFC200 and PFC100 controllers contain multiple exploitable vulnerabilities. The PFC200 is one of WAGO’s programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. The vulnerabilities disclosed here all have their root cause within the protocol handling code of the I/O Check (iocheckd) configuration... --------------------------------------------- https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-multiple.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (davical, intel-microcode, libpgf, php-horde, spamassassin, spip, and thunderbird), Mageia (clementine, dnsmasq, git, jasper, kdelibs4, kernel, libcroco, libgit2, libvirt, ncurses, openafs, proftpd, qbittorrent, signing-party, squid, and wireshark), openSUSE (java-1_8_0-openjdk and postgresql), Oracle (kernel), Red Hat (chromium-browser and openslp), and SUSE (kernel, libssh, and xen). --------------------------------------------- https://lwn.net/Articles/807412/ ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191112-asa-ftd-lua-rce ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-z-tpf/ ∗∗∗ Security Bulletin: API Connect is impacted by credential caching ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-impacted-by-credential-caching/ ∗∗∗ Security Bulletin: A security vulnerability has been identified in Kubernetes shipped with PowerAI Vision ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-kubernetes-shipped-with-powerai-vision/ ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an abend while processing messages. (CVE-2019-4560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a-denial-of-service-attack-caused-by-an-abend-while-processing-messages-cve-2019-4560/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Tue Dec 17 18:08:08 2019 From: team at cert.at (Daily end-of-shift report) Date: Tue, 17 Dec 2019 18:08:08 +0100 Subject: [CERT-daily] Tageszusammenfassung - 17.12.2019 Message-ID: <15766024880.53A8B3.7835@taranis> ===================== = End-of-Day report = ===================== Timeframe: Montag 16-12-2019 18:00 − Dienstag 17-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ #include ∗∗∗ --------------------------------------------- Recently I saw a tweet where someone mentioned that you can include /dev/stdin in C code compiled with gcc. This is, to say the very least, surprising. When you see something like this with an IT security background you start to wonder if this can be abused for an attack. --------------------------------------------- https://blog.hboeck.de/archives/898-include-etcshadow.html ∗∗∗ Is it Possible to Identify DNS over HTTPs Without Decrypting TLS? ∗∗∗ --------------------------------------------- Aside from the session length, I found that the payload length for DoH is somewhat telling. DNS queries and responses are usually a couple of hundred bytes long. HTTPS connections, on the other hand, tend to "fill" the MTU. --------------------------------------------- https://isc.sans.edu/diary/rss/25616 ∗∗∗ ESET BlueKeep (CVE‑2019‑0708) Detection‑Tool ∗∗∗ --------------------------------------------- Obwohl die BlueKeep-Schwachstelle (CVE-2019-0708) bisher nicht für weitverbreitetes Chaos sorgte, befindet sie sich doch noch in einem recht frühen Stadium der Exploit-Lebensdauer. Tatsächlich ist es so, dass viele Systeme noch nicht gepatcht sind und eine Version des Exploits als Wurm noch auftauchen könnte. Aufgrund dieser Faktoren stellt ESET ein kostenloses Detection-Tool bereit, das checken soll, ob ein System in Bezug auf BlueKeep verwundbar ist. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/12/17/eset-bluekeep-detection-tool/ ∗∗∗ Weihnachtseinkäufe auf Amazon: Vorsicht vor Kriminellen ∗∗∗ --------------------------------------------- Eine Bestellung auf Amazon ist für viele bereits selbstverständlich und mit einer überwiegend positiven Kauferfahrung verbunden. Doch auf Amazon finden sich auch betrügerische Angebote: werden Sie aufgefordert, HändlerInnen vorab per E-Mail zu kontaktieren oder die Zahlung über ein externes Konto und nicht über Amazon abzuwickeln, können Sie von einem unseriösen Angebot ausgehen! --------------------------------------------- https://www.watchlist-internet.at/news/weihnachtseinkaeufe-auf-amazon-vorsicht-vor-kriminellen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Joomla - [20191202] - Core - Various SQL injections through configuration parameters ∗∗∗ --------------------------------------------- Versions: 2.5.0 - 3.9.13 CVE Number: CVE-2019-19846 The lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors. --------------------------------------------- https://developer.joomla.org/security-centre/797-20191202-core-various-sql-injections-through-configuration-parameters.html ∗∗∗ Joomla - [20191201] - Core - Path Disclosure in framework files ∗∗∗ --------------------------------------------- Versions: 3.8.0 - 3.9.13 Number: CVE-2019-19845 Missing access check in framework files could lead to a path disclosure. --------------------------------------------- https://developer.joomla.org/security-centre/796-20191201-core-path-disclosure-in-framework-files.html ∗∗∗ This Bug Could Have Let Anyone Crash WhatsApp Of All Group Members ∗∗∗ --------------------------------------------- WhatsApp, the worlds most popular end-to-end encrypted messaging application, patched an incredibly frustrating software bug that could have allowed a malicious group member to crash the messaging app for all members of the same group, The Hacker News learned. ... Check Point responsibly reported this crash bug to the WhatsApp security team back in late August this year, and the company patched the issue with the release of WhatsApp version 2.19.58 in mid-September. --------------------------------------------- https://thehackernews.com/2019/12/whatsapp-group-crash.html ∗∗∗ CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI ∗∗∗ --------------------------------------------- Telerik UI for ASP.NET AJAX is a widely used suite of UI components for web applications. It insecurely deserializes JSON objects in a manner that results in arbitrary remote code execution on the softwares underlying host. --------------------------------------------- https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui ∗∗∗ Vulnerabilities in multiple third party TYPO3 CMS extensions ∗∗∗ --------------------------------------------- several vulnerabilities have been found in the following third party TYPO3 extensions: - "MKSamlAuth" (mksamlauth) - "Change password for frontend users" (fe_change_pwd) - "File List" (file_list) - "femanager direct mail subscription" (femanager_dmail_subscribe) - "femanager" (femanager) --------------------------------------------- http://lists.typo3.org/pipermail/typo3-announce/2019/000455.html ∗∗∗ TYPO3 10.2.2, 9.5.13 and 8.7.30 security releases published ∗∗∗ --------------------------------------------- We are announcing the release of the following TYPO3 updates: TYPO3 10.2.2 TYPO3 9.5.13 LTS TYPO3 8.7.30 LTS All versions are security releases and contain important security fixes --------------------------------------------- https://typo3.org/article/typo3-1022-9513-and-8730-security-releases-published/ ∗∗∗ Sicherheitsupdate: Passwortabfrage von TP-Links Archer-Routern umgehbar ∗∗∗ --------------------------------------------- Angreifer könnten eine kritische Sicherheitslücke ausnutzen, um mit Admin-Rechten auf einige Router der Archer-Serie zu zugreifen. --------------------------------------------- https://heise.de/-4616996 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libssh, ruby2.3, and ruby2.5), Fedora (kernel and libgit2), openSUSE (chromium and libssh), Oracle (openslp), Red Hat (container-tools:1.0, container-tools:rhel8, freetype, kernel, and kpatch-patch), Scientific Linux (openslp), SUSE (git and LibreOffice), and Ubuntu (graphicsmagick). --------------------------------------------- https://lwn.net/Articles/807505/ ∗∗∗ Intel Patches Privilege Escalation Flaw in Rapid Storage Technology ∗∗∗ --------------------------------------------- A vulnerability Intel has addressed in the Rapid Storage Technology (RST) could allow a local user to escalate privileges to System. Intel RST is a Windows-based application that is provided with many computers that feature Intel chips to deliver improved performance and reliability when SATA disks are used. --------------------------------------------- https://www.securityweek.com/intel-patches-privilege-escalation-flaw-rapid-storage-technology ∗∗∗ Security Bulletin: A security vulnerability has been identified in lodash shipped with PowerAI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-lodash-shipped-with-powerai/ ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a libcgroup vulnerability (CVE-2018-14348) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affected-by-a-libcgroup-vulnerability-cve-2018-14348/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-rational-directory-server-tivoli-rational-directory-administrator/ ∗∗∗ Security Bulletin: A security vulnerability has been identified in SQLite shipped with PowerAI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-has-been-identified-in-sqlite-shipped-with-powerai/ ∗∗∗ Security Bulletin: IBM SDK Oracle Java vunerabilities affect IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-oracle-java-vunerabilities-affect-ibm-watson-text-to-speech-and-speech-to-text-ibm-watson-speech-services-1-1/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Wed Dec 18 18:07:04 2019 From: team at cert.at (Daily end-of-shift report) Date: Wed, 18 Dec 2019 18:07:04 +0100 Subject: [CERT-daily] Tageszusammenfassung - 18.12.2019 Message-ID: <15766888240.93Ed.29762@taranis> ===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-12-2019 18:00 − Mittwoch 18-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forthcoming OpenSSL release ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.0.2u. This release will be made available on Friday 20th December 2019 between 1300-1700 UTC. This will contain one LOW severity fix for CVE-2019-1551 previously announced here: https://www.openssl.org/news/secadv/20191206.txt --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2019-December/000164.html ∗∗∗ Betrügerische Zahlungsaufforderungen von top-urlaub.info nicht bezahlen! ∗∗∗ --------------------------------------------- Zahlreiche InternetnutzerInnen berichten uns momentan von betrügerischen Rechnungen und Zahlungsaufforderungen der Next Trip Ltd. Sie stoßen auf eine Werbung auf sozialen Netzwerken, die günstige Urlaubsangebote verspricht. Eine Registrierung führt zu hohen Zahlungsaufforderungen wegen einer angeblich abgeschlossenen Jahresmitgliedschaft. Die Rechnung über 239,90 Euro muss in derartigen Fällen nicht bezahlt werden! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-zahlungsaufforderungen-von-top-urlaubinfo-nicht-bezahlen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Google Releases Security Updates for Chrome for Windows, Mac, and Linux ∗∗∗ --------------------------------------------- Google has released security updates for Chrome version 79.0.3945.88 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/18/google-releases-security-updates-chrome-windows-mac-and-linux ∗∗∗ Microsoft Releases Out-of-Band Security Updates ∗∗∗ --------------------------------------------- Microsoft has released out-of-band security updates to address a vulnerability in SharePoint Server. An attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/18/microsoft-releases-out-band-security-updates ∗∗∗ SpamAssassin 3.4.3 available ∗∗∗ --------------------------------------------- Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we prepare to move to version 4.0.0 with better, native UTF-8 handling. There are a number of functional patches, improvements as well as security reasons to upgrade to 3.4.3. In this release, there are bug fixes for two CVEs. --------------------------------------------- https://lwn.net/Articles/807539/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-edu-config, harfbuzz, libvorbis, and python-ecdsa), Fedora (chromium, fribidi, libssh, and openslp), openSUSE (chromium), Oracle (grub2), Red Hat (rh-maven35-apache-commons-beanutils), SUSE (kernel, libssh, mariadb, samba, and xen), and Ubuntu (openjdk-8, openjdk-lts). --------------------------------------------- https://lwn.net/Articles/807609/ ∗∗∗ Dell XPS 13 2-in-1 (7390): Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/12/warnmeldung_tw-t19-0188.html ∗∗∗ GE S2020/S2020G Fast Switch 61850 ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-351-01 ∗∗∗ Security Advisory - Improper Access Control Vulnerability in Huawei Share ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191218-01-share-en ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Huawei Share ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191218-02-share-en ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191218-02-smartphone-en ∗∗∗ Security Advisory - Information Disclosure Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191218-03-information-en ∗∗∗ Security Bulletin: vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openssl-affect-ibm-integration-bus-and-ibm-app-connect/ ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js by Prototype Pollution vulnerabiliy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-advisor-is-affected-by-a-node-js-by-prototype-pollution-vulnerabiliy/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in the Linux kernel affect the IBM FlashSystem models V840 and V9000 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-linux-kernel-affect-the-ibm-flashsystem-models-v840-and-v9000/ ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-advisor-is-affected-by-a-node-js-vulnerabilities/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Transformation Advisor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cloud-transformation-advisor-2/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-jackson-databind-affect-ibm-platform-symphony-and-ibm-spectrum-symphony-2/ ∗∗∗ Security Bulletin: IBM Planning Analytics has addressed a Security Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-has-addressed-a-security-vulnerability/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in the Linux kernel affect the IBM FlashSystem models 840 and 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-the-linux-kernel-affect-the-ibm-flashsystem-models-840-and-900/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-java-runtime-affect-ibm-cognos-command-center/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Thu Dec 19 19:31:29 2019 From: team at cert.at (Daily end-of-shift report) Date: Thu, 19 Dec 2019 19:31:29 +0100 Subject: [CERT-daily] Tageszusammenfassung - 19.12.2019 Message-ID: <15767802890.0fbd.18882@taranis> ===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-12-2019 18:00 − Donnerstag 19-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet Gang Changes Tactics Ahead of the Winter Holidays ∗∗∗ --------------------------------------------- With the end of the year approaching fast, the authors of Emotet have made some changes that may increase their revenue for the holidays. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-gang-changes-tactics-ahead-of-the-winter-holidays/ ∗∗∗ TP-Link Routers Give Cyberattackers an Open Door to Business Networks ∗∗∗ --------------------------------------------- Remote attackers can easily compromise the device and pivot to move laterally through the LAN or WAN. --------------------------------------------- https://threatpost.com/tp-link-routers-cyberattackers-open-door/151254/ ∗∗∗ Microsoft Updates November Security Updates with SharePoint Bug ∗∗∗ --------------------------------------------- Microsoft has added a fresh CVE to its security portal, linking it to the existing November security updates (the patch itself was already included in the updates, but not specifically named). The CVE describes a vulnerability in SharePoint Server. According to a Microsoft Security Advisory, an attacker could exploit the bug (CVE-2019-1491) to obtain sensitive information and then use that information to mount further attacks. --------------------------------------------- https://threatpost.com/microsoft-issues-out-of-band-update-sharepoint-bug/151260/ ∗∗∗ Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks ∗∗∗ --------------------------------------------- Microsoft Defender ATP data scientists and threat hunters collaborate to use a data science-driven approach to detecting RDP brute force attacks to protect customers against real-world threats. --------------------------------------------- https://www.microsoft.com/security/blog/2019/12/18/data-science-for-cybersecurity-a-probabilistic-time-series-model-for-detecting-rdp-inbound-brute-force-attacks/ ∗∗∗ How Websites Are Used to Spread Emotet Malware ∗∗∗ --------------------------------------------- In past posts, we’ve discussed the more popular reasons why hackers target smaller websites. Today, we’ll focus instead on how hackers use compromised websites to spread dangerous malware like Emotet to end user victims. --------------------------------------------- https://blog.sucuri.net/2019/12/how-websites-are-used-to-spread-emotet-malware.html ∗∗∗ Zero Day Vulnerability in Deutsche Bahn Ticket Machine Series System uncovered ∗∗∗ --------------------------------------------- Whitehat in action discovers Kiosk Escape & Escalation via Windows PasswordAgent --------------------------------------------- https://www.vulnerability-db.com/?q=articles/2019/12/13/zero-day-vulnerability-deutsche-bahn-ticket-machine-series-system-uncovered ∗∗∗ Erpressung 2.0: Ransomware-Gangs wollen sensible Firmendaten veröffentlichen ∗∗∗ --------------------------------------------- Die Macher von Maze und Sodinokibi läuten womöglich einen unerfreulichen Trend ein: Sie wollen sensible Dokumente infizierter Unternehmen online stellen. --------------------------------------------- https://heise.de/-4619041 ∗∗∗ Gefälschte Krone.at-Werbung lockt auf Facebook mit gratis iPhones ∗∗∗ --------------------------------------------- Achtung: Auf Facebook kursieren Werbeschaltungen im Namen der Kronen Zeitung. Darin wird behauptet, dass die größte Apple-Lagerhalle gebrannt hat und nun 2173 unbeschädigte iPhones in Österreich verschenkt werden. Das ist frei erfunden und die Werbung stammt nicht von der Kronen Zeitung. Wer sich hier anmeldet, tappt in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-kroneat-werbung-lockt-auf-facebook-mit-gratis-iphones/ ∗∗∗ 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world ∗∗∗ --------------------------------------------- In December 1989 the world was introduced to the first ever ransomware - and 30 years later ransomware attacks are now at crisis levels. --------------------------------------------- https://www.zdnet.com/article/30-years-of-ransomware-how-one-bizarre-attack-laid-the-foundations-for-the-malware-taking-over-the-world/ ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: December 19, 2019Drupal has released security updates to address vulnerabilities in Drupal 7.x, 8.7.x, and 8.8.x. An attacker could exploit some of these vulnerabilities to modify data on an affected website. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/19/drupal-releases-security-updates ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (git, libgit2, and shadow), Debian (debian-edu-config and python-django), Fedora (python-django), Mageia (apache-commons-beanutils, fence-agents, flightcrew, freerdp, htmldoc, libssh, pacemaker, rsyslog, samba, and sssd), Oracle (freetype and kernel), Scientific Linux (freetype and kernel), SUSE (firefox, spectre-meltdown-checker, thunderbird, xen, and zziplib), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/807711/ ∗∗∗ Synology-SA-19:42 WordPress ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML or bypass security constraint via a susceptible version of WordPress. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_42 ∗∗∗ Security Bulletin: IBM API Connect is impacted by a vulnerability in libexpat ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-a-vulnerability-in-libexpat/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in GnuTLS affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnutls-affects-ibm-watson-studio-local/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in libpng affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-libpng-affects-ibm-watson-studio-local/ ∗∗∗ Security Bulletin: Vulnerability in jQuery affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jquery-affects-ibm-watson-studio-local/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in libxml2 affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-libxml2-affects-ibm-watson-studio-local/ ∗∗∗ PHP: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1099 ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1098 ∗∗∗ Citrix Systems NetScaler Gateway: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1093 ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Fri Dec 20 18:15:10 2019 From: team at cert.at (Daily end-of-shift report) Date: Fri, 20 Dec 2019 18:15:10 +0100 Subject: [CERT-daily] Tageszusammenfassung - 20.12.2019 Message-ID: <15768621100.e6805D6B.8130@taranis> ===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-12-2019 18:00 − Freitag 20-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ From dropbox(updater) to NT AUTHORITY\SYSTEM ∗∗∗ --------------------------------------------- In this post I’m going to show how to use the DropBoxUpdater service in order to get SYSTEM privileges starting from a simple Windows user. --------------------------------------------- https://decoder.cloud/2019/12/18/from-dropboxupdater-to-nt-authoritysystem/ ∗∗∗ Using WebRTC ICE Servers for Port Scanning in Chrome ∗∗∗ --------------------------------------------- Using the browser to scan a LAN isn’t a new idea. There are many implementations that use XHR requests, websockets, or plain HTML to discover and fingerprint LAN devices. But in this blog, I’ll introduce a new scanning technique using WebRTC ICE servers. This technique is fast and, unlike the other methods, bypasses the blocked ports list. Unfortunately, it only works when the victim is using Chrome. --------------------------------------------- https://medium.com/tenable-techblog/using-webrtc-ice-servers-for-port-scanning-in-chrome-ce17b19dd474 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4590 cyrus-imapd - security update ∗∗∗ --------------------------------------------- It was discovered that the lmtpd component of the Cyrus IMAP server created mailboxes with administrator privileges if the fileinto [sieve directive] was used, bypassing ACL checks. --------------------------------------------- https://www.debian.org/security/2019/dsa-4590 ∗∗∗ Field Notice: FN - 70489 - PKI Self-Signed Certificate Expiration in Cisco IOS and Cisco IOS XE Software - Software Upgrade Recommended ∗∗∗ --------------------------------------------- Self-signed X.509 PKI certificates (SSC) that were generated on devices that run affected Cisco IOS® or Cisco IOS XE software releases expire on 2020-01-01 00:00:00 UTC. New self-signed certificates cannot be created on affected devices after 2020-01-01 00:00:00 UTC. Any service that relies on these self-signed certificates to establish or terminate a secure connection might not work after the certificate expires. --------------------------------------------- https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html ∗∗∗ OpenSSL version 1.0.2u published ∗∗∗ --------------------------------------------- The OpenSSL project team is pleased to announce the release of version 1.0.2u of our open source toolkit for SSL/TLS. --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2019-December/000165.html ∗∗∗ VMSA-2019-0023 ∗∗∗ --------------------------------------------- VMware Workstation and Horizon View Agent updates address a DLL-hijacking issue (CVE-2019-5539) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0023.html ∗∗∗ Critical Vulnerability Patched in 301 Redirects – Easy Redirect Manager ∗∗∗ --------------------------------------------- On Friday December 13th, our Threat Intelligence team discovered vulnerabilities present in "301 Redirects – Easy Redirect Manager", a WordPress plugin installed on over 70,000 websites. These weaknesses allowed any authenticated user, even subscribers, to modify, delete, and inject redirect rules that could potentially result in a loss of site availability. We privately disclosed the issue to the plugin’s developer, who was incredibly quick to respond and release a patch. --------------------------------------------- https://www.wordfence.com/blog/2019/12/critical-vulnerability-patched-in-301-redirects-easy-redirect-manager/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cyrus-imapd and gdk-pixbuf), Fedora (cacti, cacti-spine, and fribidi), Red Hat (fribidi, git, and openstack-keystone), Scientific Linux (fribidi), Slackware (wavpack), and SUSE (firefox, kernel, mariadb, spectre-meltdown-checker, and trousers). --------------------------------------------- https://lwn.net/Articles/807851/ ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Jira Software ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1105 ∗∗∗ Moxa EDS Ethernet Switches ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-353-01 ∗∗∗ Equinox Control Expert ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-353-02 ∗∗∗ WECON PLC Editor ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-353-03 ∗∗∗ Reliable Controls MACH-ProWebCom/Sys ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-353-04 ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-addressed-multiple-vulnerabilties/ ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozzila Firefox (less than Firefox 68.2.0 ESR) have affected Synthetic Playback Agent 8.1.4.0 – 8.1.4 IF09 + ICAM Synthetic 3.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozzila-firefox-less-than-firefox-68-2-0-esr-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if09-icam-synthetic-3-0/ ∗∗∗ Security Bulletin: Various security vulnerabilities in IBM Financial Transaction Manager for SWIFT Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-various-security-vulnerabilities-in-ibm-financial-transaction-manager-for-swift-services/ ∗∗∗ Security Bulletin: IBM Cognos Business Intelligence has addressed multiple vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-business-intelligence-has-addressed-multiple-vulnerabilties/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affect-ibm-i/ ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozzila Firefox (less than Firefox 68.2.0 ESR) have affected Synthetic Playback Agent 8.1.4.0 – 8.1.4 IF09 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-of-mozzila-firefox-less-than-firefox-68-2-0-esr-have-affected-synthetic-playback-agent-8-1-4-0-8-1-4-if09/ ∗∗∗ The BIG-IP DNS system may erroneously display the TSIG key secret in plain text form ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36328238?utm_source=f5support&utm_medium=RSS ∗∗∗ ASM Cloud Security Services authentication vulnerability CVE-2019-6687 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K59957337?utm_source=f5support&utm_medium=RSS ∗∗∗ Synology-SA-19:42 Intel Processor Vulnerability ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_42 ∗∗∗ Synology-SA-19:41 WordPress ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_41 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Mon Dec 23 18:08:53 2019 From: team at cert.at (Daily end-of-shift report) Date: Mon, 23 Dec 2019 18:08:53 +0100 Subject: [CERT-daily] Tageszusammenfassung - 23.12.2019 Message-ID: <15771209330.a098.8860@taranis> ===================== = End-of-Day report = ===================== Timeframe: Freitag 20-12-2019 18:00 − Montag 23-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FBI Issues Alert For LockerGoga and MegaCortex Ransomware ∗∗∗ --------------------------------------------- The FBI has issued a warning to private industry recipients to provide information and guidance on the LockerGoga and MegaCortex Ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/ ∗∗∗ Mozi, Another Botnet Using DHT ∗∗∗ --------------------------------------------- Mozi Botnet relies on the DHT protocol to build a P2P network, and uses ECDSA384 and the xor algorithm to ensure the integrity and security of its components and P2P network. The sample spreads via Telnet with weak passwords and some known exploits --------------------------------------------- https://blog.netlab.360.com/mozi-another-botnet-using-dht/ ∗∗∗ Extracting VBA Macros From .DWG Files, (Sun, Dec 22nd) ∗∗∗ --------------------------------------------- I updated my oledump.py tool to help with the analysis of files that embed OLE files, like AutoCAD's .dwg files with VBA macros. --------------------------------------------- https://isc.sans.edu/diary/rss/25634 ∗∗∗ Leveraging Disk Imaging Tools to Deliver RATs ∗∗∗ --------------------------------------------- This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/leveraging-disk-imaging-tools-to-deliver-rats/ ∗∗∗ Looking into Attacks and Techniques Used Against WordPress Sites ∗∗∗ --------------------------------------------- This blog post lists different kinds of attacks against WordPress, by way of payload examples we observed in the wild, and how attacks have used hacked admin access and API, Alfa-Shell deployment, and SEO poisoning to take advantage of vulnerable sites. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mjE1ckQKGtA/ ∗∗∗ Geknackte Zwei-Faktor-Anmeldung: Warum Software Token keine gute Idee sind ∗∗∗ --------------------------------------------- Eine mutmaßlich chinesische Hackergruppe, deren Angriffe bis 2011 zurückgehen, soll einen neuartigen Angriff auf RSA-Software-Token entdeckt haben. --------------------------------------------- https://heise.de/-4622748 ∗∗∗ Jetzt updaten: Cisco ASA 5500-X Series Firewalls aus der Ferne angreifbar ∗∗∗ --------------------------------------------- Eine bereits seit 2018 bekannte ASA-Schwachstelle wird derzeit möglicherweise aktiv ausgenutzt. --------------------------------------------- https://heise.de/-4621541 ∗∗∗ Vorsicht vor GMX-Phishing-Mails ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen melden uns momentan gefährliche Phishing-Mails, mit denen Kriminelle versuchen, an GMX-Konten zu gelangen. GMX-UserInnen müssen sich daher in Acht nehmen, wenn sie plötzlich wegen einer angeblichen Kontosperre, zu einem Login aufgefordert werden. Die Daten und E-Mail-Konten landen in den Händen Krimineller und können für Verbrechen unter fremder Identität genützt werden! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gmx-phishing-mails/ ∗∗∗ War Never Changes: Attacks Against WPA3’s Enhanced Open — Part 2: Understanding OWE ∗∗∗ --------------------------------------------- https://posts.specterops.io/war-never-changes-attacks-against-wpa3s-enhanced-open-part-2-understanding-owe-90fdc29126a1 ===================== = Vulnerabilities = ===================== ∗∗∗ Patch now: Published Citrix applications leave networks of potentially 80,000 firms at risk from attackers ∗∗∗ --------------------------------------------- Unauthorised users able to perform arbitrary code execution A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/23/patch_now_published_citrix_applications_leave_network_vulnerable_to_unauthorised_access/ ∗∗∗ Sicherheitslücke in Twitter-App für Android ∗∗∗ --------------------------------------------- Über eine Sicherheitslücke in der Twitter-App für Android lässt sich bösartiger Code einschleusen, der private Daten auslesen kann. Ein Update steht bereit. --------------------------------------------- https://heise.de/-4621735 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, cyrus-sasl2, tightvnc, and x2goclient), Fedora (cacti and cacti-spine), openSUSE (mariadb and samba), Oracle (fribidi, git, and python), Red Hat (fribidi, libyang, and qemu-kvm-rhev), Slackware (openssl and tigervnc), and SUSE (firefox, nspr, nss and kernel). --------------------------------------------- https://lwn.net/Articles/808026/ ∗∗∗ Synology-SA-19:43 Drupal ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to upload arbitrary files via a susceptible version of Drupal. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_43 ∗∗∗ F5 Security Advisories ∗∗∗ --------------------------------------------- https://support.f5.com/csp/new-updated-articles ∗∗∗ Security Bulletin: Multiple Vulnerabilities in libpng affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-libpng-affects-ibm-watson-studio-local-2/ ∗∗∗ Security Bulletin: Input Validation Vulnerability in Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-input-validation-vulnerability-in-watson-studio-local/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities In Redis affects Watson Studio Local (CVE-2018-12453, CVE-2018-12326, CVE-2018-11218) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-redis-affects-watson-studio-local-cve-2018-12453-cve-2018-12326-cve-2018-11218/ ∗∗∗ Security Bulletin: JWT Token Check Vulnerability in Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jwt-token-check-vulnerability-in-watson-studio-local/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Kubernetes affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-kubernetes-affects-ibm-watson-studio-local/ ∗∗∗ Security Bulletin: Watson Studio Local Key Storage Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-studio-local-key-storage-vulnerability/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in GNU binutils affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affects-ibm-watson-studio-local/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in GNU Binutils affects Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-gnu-binutils-affects-watson-studio-local/ ∗∗∗ Security Bulletin: Internal SSL Communication Vulerability in Watson Studio Local (PSIRT-ADV0011800) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-internal-ssl-communication-vulerability-in-watson-studio-local-psirt-adv0011800/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in OpenSSL affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-openssl-affects-ibm-watson-studio-local/ ∗∗∗ Security Bulletin: Vulnerabilities in Samba affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-samba-affects-ibm-watson-studio-local/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Fri Dec 27 18:09:21 2019 From: team at cert.at (Daily end-of-shift report) Date: Fri, 27 Dec 2019 18:09:21 +0100 Subject: [CERT-daily] Tageszusammenfassung - 27.12.2019 Message-ID: <15774665610.2ae6D28.31337@taranis> ===================== = End-of-Day report = ===================== Timeframe: Montag 23-12-2019 18:00 − Freitag 27-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Timely acquisition of network traffic evidence in the middle of an incident response procedure, (Wed, Dec 25th) ∗∗∗ --------------------------------------------- The acquisition of evidence is one of the procedures that always brings controversy in incident management. We must answer questions such as: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25560 ∗∗∗ Bypassing UAC to Install a Cryptominer ∗∗∗ --------------------------------------------- First of all, Merry Christmas to all our readers! I hope youre enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and its most interesting feature is the use of a classic technique to bypass UAC[2]. --------------------------------------------- https://isc.sans.edu/forums/diary/Bypassing+UAC+to+Install+a+Cryptominer/25644/ ∗∗∗ Video: Identitätsdiebstahl mit gefälschten Airbnb-Mails ∗∗∗ --------------------------------------------- Airbnb genießt hohes Vertrauen bei seinen UserInnen. Das versuchen sich auch Kriminelle zu Nutze zu machen. Sie versenden betrügerische Phishing-Mails im Design von Airbnb. --------------------------------------------- https://www.watchlist-internet.at/news/video-identitaetsdiebstahl-mit-gefaelschten-airbnb-mails/ ∗∗∗ Video: Erpressungs-Mails ∗∗∗ --------------------------------------------- Kriminelle versenden massenhaft Erpressungs-Mails an InternetnutzerInnen. Darin behaupten sie, die EmpfängerInnen der Nachrichten beim Masturbieren gefilmt zu haben. Um zu vermeiden, dass das Video veröffentlicht wird, sollen gewisse Geldbeträge in Form von Bitcoins bezahlt werden. --------------------------------------------- https://www.watchlist-internet.at/news/video-erpressungs-mails/ ===================== = Vulnerabilities = ===================== ∗∗∗ New Magellan 2.0 SQLite Vulnerabilities Affect Many Programs ∗∗∗ --------------------------------------------- New vulnerabilities in the SQLite database engine affect a wide range of applications that utilize it as a component within their software packages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-magellan-20-sqlite-vulnerabilities-affect-many-programs/ ∗∗∗ AVE DOMINAplus 1.10.x Credentials Disclosure Exploit ∗∗∗ --------------------------------------------- The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file /xml/authClients.xml and obtain administrative login information that allows for a successful authentication bypass attack. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php ∗∗∗ AVE DOMINAplus 1.10.x Authentication Bypass Exploit ∗∗∗ --------------------------------------------- DOMINAplus suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php ∗∗∗ AVE DOMINAplus 1.10.x Unauthenticated Remote Reboot ∗∗∗ --------------------------------------------- The application suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php ∗∗∗ AVE DOMINAplus 1.10.x CSRF/XSS Vulnerabilities ∗∗∗ --------------------------------------------- The application suffers from multiple CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script [...] --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php ∗∗∗ Inim Electronics Smartliving SmartLAN/G/SI 6.x Hard-coded Credentials ∗∗∗ --------------------------------------------- The devices utilizes hard-coded credentials within its Linux distribution image. These sets of credentials (Telnet, SSH, FTP) are never exposed to the end-user and cannot be changed through any normal operation of the smart home device. Attacker could exploit this vulnerability by logging in and gain system access. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (freetype, kernel, nss, nss-softokn, nss-util, and thunderbird), Mageia (ghostpcl, libmirage, and spamassassin), Oracle (fribidi), and SUSE (mariadb-100, shibboleth-sp, and slurm). --------------------------------------------- https://lwn.net/Articles/808090/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, fribidi, nss, nss-softokn, nss-util, openslp, and thunderbird), Debian (opensc), and Mageia (389-ds-base, apache, apache-mod_auth_openidc, kernel, libofx, microcode, php, and ruby). --------------------------------------------- https://lwn.net/Articles/808119/ ∗∗∗ CA Client Automation 14.x Privilege Escalation ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019120108 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-01-validation-en ∗∗∗ Security Advisory - Integer Overflow Vulnerability in the Linux Kernel (SACK Panic) ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-01-kernel-en ∗∗∗ Security Advisory - Multiple Vulnerabilities in the X.509 Implementation in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-01-eudemon-en ∗∗∗ Security Advisory - Missing Integrity Checking Vulnerability on Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-01-digital-en ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1110 ∗∗∗ ImageMagick / GraphicsMagick: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1117 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1116 ∗∗∗ Nvidia GeForce Experience: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1114 ∗∗∗ Trend Micro Maximum Security: Schwachstelle ermöglicht Denial of Service oder Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1113 ∗∗∗ Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1120 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily From team at cert.at Mon Dec 30 18:08:19 2019 From: team at cert.at (Daily end-of-shift report) Date: Mon, 30 Dec 2019 18:08:19 +0100 Subject: [CERT-daily] Tageszusammenfassung - 30.12.2019 Message-ID: <15777256990.c3BFe8.31679@taranis> ===================== = End-of-Day report = ===================== Timeframe: Freitag 27-12-2019 18:00 − Montag 30-12-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Lesser-known Tools for Android Application PenTesting ∗∗∗ --------------------------------------------- Over time, I became familiar with the different tools, popular or not, that helped me in my assessments. In this post, I’ll list down these not-so-popular tools (in my opinion based on the different sources and blogs that I have read where these tools were not mentioned) that I’m using during my engagements. --------------------------------------------- https://captmeelo.com/pentest/2019/12/30/lesser-known-tools-for-android-pentest.html ∗∗∗ 36C3: Vertraue keinem Bluetooth-Gerät – schon gar nicht im vernetzten Auto ∗∗∗ --------------------------------------------- Bei Chips zur drahtlosen Datenübertragung etwa via Bluetooth gibt es massive Sicherheitslücken. Bei geteilten Antennen lässt sich etwa WLAN ausknipsen. --------------------------------------------- https://heise.de/-4624388 ===================== = Vulnerabilities = ===================== ∗∗∗ Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Trend Micro AntiVirus ist eine Anti-Viren-Software. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/12/warnmeldung_tw-t19-0192.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by SUSE (dia, kernel, and libgcrypt). --------------------------------------------- https://lwn.net/Articles/808135/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-lan-config, freeimage, imagemagick, libxml2, mediawiki, openssl1.0, php5, and tomcat8). --------------------------------------------- https://lwn.net/Articles/808234/ ∗∗∗ Intel SPS vulnerability CVE-2019-11109 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54164678 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily