Daily July 2017

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 17.07.2017
by Daily end-of-shift report 17 Jul '17

17 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-07-2017 18:00 − Montag 17-07-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Week in Ransomware - July 14th 2017 - NemucodAES, LeakerLocker, and More ∗∗∗ --------------------------------------------- It has been a slow week in terms of new releases, which is always a good thing. Still lots of small crapware being released that will never have much wide distribution. We also have some good news, which is the release of a NemucodAES decryptor by Emsisoft. This allows victims of this ransomware to get their files back for free. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-july-… ∗∗∗ We Tested More than 50 Free Security Tools so You can Use Them for Your Online Protection ∗∗∗ --------------------------------------------- The idea that we should create a gargantuan list of cyber security tools started to spring in our minds around the beginning of this year. We started from a simple idea: It should be useful. We need it. You need it. It will come in handy in the future, to have all those tools in […] --------------------------------------------- https://heimdalsecurity.com/blog/free-cyber-security-tools-list/ ∗∗∗ Popular Chrome Extension Sold To New Dev Who Immediately Turns It Into Adware ∗∗∗ --------------------------------------------- An anonymous reader writes: A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware. The latest case is the Particle for YouTube Chrome extension, a simple tool that allows users to change the UI and behavior of some of YouTubes standard features. Because Google was planning major changes to YouTubes UI, the extensions original author decided to retire it and create a new one. This is when the a mysterious company --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/StqZHG6JsVY/popular-chrome-… ∗∗∗ Petya From The Wire: Detection using IDPS ∗∗∗ --------------------------------------------- Most malware that traverses a network do so with specific indicators, some of which look like legitimate network traffic and others that are completely unique to the malware. A single IDPS signature can have high confidence of detecting an infection... --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/Petya-From-The-Wire--Detecti… ∗∗∗ Gandi.net: Angreifer klaut interne Login-Daten und leitet Domains auf Malware um ∗∗∗ --------------------------------------------- Ein Angreifer hat die Login-Daten des französischen Registrars Gandi.net für einen seiner technischen Provider erlangt und 751 DNS-Einträge manipuliert, damit sie auf eine schädliche Website umleiten. --------------------------------------------- https://heise.de/-3772259 ∗∗∗ DDoS-Angriffe: Hacker flooden liebsten am Wochenende und abends ∗∗∗ --------------------------------------------- In seinem aktuellen DDoS-Report katalogisiert die deutsche Sicherheitsfirma Link11 die Distributed-Denial-of-Service-Angriffe auf Unternehmen der DACH-Region. Der Bericht legt nahe, dass solche Angriffe nach wie vor viel Schaden in Unternehmen anrichten. --------------------------------------------- https://heise.de/-3773640 ∗∗∗ Jetzt patchen: FreeRADIUS stopft Sicherheitslücken ∗∗∗ --------------------------------------------- Wer den beliebten Open-Source-RADIUS-Server FreeRADIUS verwendet, sollte Updates einspielen. Über Sicherheitslücken können Angreifer aus der Ferne Schadcode zur Ausführung bringen. --------------------------------------------- https://heise.de/-3773875 ∗∗∗ Keeping up with the Petyas: Demystifying the malware family ∗∗∗ --------------------------------------------- Last June 27, there was a huge outbreak of a Petya-esque malware with WannaCry-style infector in the Ukraine. Since there is still confusion about how exactly this malware is linked to the original Petya, we have prepared this small guide on the background of the Petya family.Categories: CybercrimeMalwareTags: Anti-RansomwareEternalPetyaGoldeneye ransomwaregreen petyajanusMischa ransomwareNotPetyaPetrwrappetya originsPetya ransomwareransomwarered petya(Read more...)The post Keeping up with the --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas… ===================== = Advisories = ===================== ∗∗∗ DSA-3911 evince - security update ∗∗∗ --------------------------------------------- Felix Wilhelm discovered that the Evince document viewer made insecureuse of tar when opening tar comic book archives (CBT). Opening amalicious CBT archive could result in the execution of arbitrary code.This update disables the CBT format entirely. --------------------------------------------- https://www.debian.org/security/2017/dsa-3911 ∗∗∗ DSA-3910 knot - security update ∗∗∗ --------------------------------------------- Clément Berthaux from Synaktiv discovered a signature forgery vulnerability inknot, an authoritative-only DNS server. This vulnerability allows an attackerto bypass TSIG authentication by sending crafted DNS packets to a server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3910 ∗∗∗ DSA-3909 samba - security update ∗∗∗ --------------------------------------------- Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutualauthentication bypass vulnerability in samba, the SMB/CIFS file, print, andlogin server. Also known as Orpheus Lyre, this vulnerability is located inSamba Kerberos Key Distribution Center (KDC-REP) component and could be used byan attacker on the network path to impersonate a server. --------------------------------------------- https://www.debian.org/security/2017/dsa-3909 ∗∗∗ WordPress Download Manager <= 2.9.49 - Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8856 ∗∗∗ WP-Members <= 3.1.7 - Authenticated Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8858 ∗∗∗ WordPress Download Manager <= 2.9.50 - Open Redirect ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/8857 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2017
by Daily end-of-shift report 14 Jul '17

14 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-07-2017 18:00 − Freitag 14-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Hackers Are Using Automated Scans to Target Unfinished WordPress Installs ∗∗∗ --------------------------------------------- Experts from security firm Wordfence say they have observed a wave of web attacks that took aim at unfinished WordPress installations. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-using-automated-… ∗∗∗ Experts Warn Too Often AWS S3 Buckets Are Misconfigured, Leak Data ∗∗∗ --------------------------------------------- An analysis of Amazon Web Services storage containers reveals troubling trend of misconfigured S3 buckets that leak data. --------------------------------------------- http://threatpost.com/experts-warn-too-often-aws-s3-buckets-are-misconfigur… ∗∗∗ Reverse Engineering Hardware of Embedded Devices: From China to the World ∗∗∗ --------------------------------------------- This article covers some basic hardware reverse engineering techniques on PCB-level, which are applicable to any electronic embedded device to showcase how to analyze a previously unknown (to the researcher or public white-hat community) hardware device. --------------------------------------------- http://blog.sec-consult.com/2017/07/reverse-engineering-hardware.html ∗∗∗ Code Injection in Signed PHP Archives (Phar) ∗∗∗ --------------------------------------------- PHP contains an interesting but rarely used feature called Phar, which stands for PHp ARchive, that allows developers to package entire applications as a single executable file. It also boasts some additional security benefits by signing archives with a digital signature, disallowing the modification of the archives on production machines. --------------------------------------------- https://blog.sucuri.net/2017/07/code-injection-in-phar-signed-php-archives.… ∗∗∗ Peng!!! Comic HACKT Linux ∗∗∗ --------------------------------------------- Der unter Linux weit verbreitete Dokumenten-Betrachter Evince weist eine kritische Lücke auf, die sich ausnutzen lässt, um das System mit Schad-Software zu infizieren. Der Fehler lässt sich durch Comic-Books auslösen; Updates werden bereits ausgeliefert. --------------------------------------------- https://heise.de/-3771980 ∗∗∗ Thieves Used Infrared to Pull Data from ATM ‘Insert Skimmers’ ∗∗∗ --------------------------------------------- A greater number of ATM skimming incidents now involve so-called "insert skimmers," wafer-thin fraud devices made to fit snugly and invisibly inside a cash machine’s card acceptance slot. New evidence suggests that at least some of these insert skimmers -- which record card data and store it on a tiny embedded flash drive are -- equipped with technology allowing it to transmit stolen card data wirelessly via infrared, the same technology built into a television remote control. --------------------------------------------- https://krebsonsecurity.com/2017/07/thieves-used-infrared-to-pull-data-from… ∗∗∗ Gefälschte Rechnung verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Mit einer gefälschten Rechnung fordern Kriminelle Empfänger/innen dazu auf, einen Dateianhang zu öffnen. Er beinhalt angeblich eine "vollständige Kostenaufstellung". Diese ist in Wahrheit Schadsoftware. Rechnungsempfänger/innen dürfen sie nicht öffnen, andernfalls drohen ihnen erhebliche Nachteile. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-rechnu… ===================== = Advisories = ===================== ∗∗∗ Siemens SiPass integrated ∗∗∗ --------------------------------------------- This advisory contains mitigation details for improper authentication, improper privilege management, channel accessible by non-endpoint, and storing passwords in a recoverable format vulnerabilities in the Siemens SiPass integrated access control system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-194-01 ∗∗∗ GE Communicator ∗∗∗ --------------------------------------------- This advisory contains mitigation details for a heap-based buffer overflow vulnerability in the GE Communicator. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-194-02 ∗∗∗ Vulnerabilities in Dasan Networks GPON ONT WiFi Router H64X Series ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070101 https://cxsecurity.com/issue/WLB-2017070102 https://cxsecurity.com/issue/WLB-2017070103 https://cxsecurity.com/issue/WLB-2017070104 ∗∗∗ DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2892404 ∗∗∗ Search 404 - Moderately Critical - Cross Site Scripting - SA-CONTRIB-2017-053 ∗∗∗ --------------------------------------------- https://www.drupal.org/node/2888094 ∗∗∗ DFN-CERT-2017-1218: Evince: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1218/ ∗∗∗ DFN-CERT-2017-1221: GLPi: Mehrere Schwachstellen ermöglichen SQL-Injektionen und das Löschen beliebiger Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1221/ ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Flex System FC5022 16Gb SAN Scalable Switch and IBM Flex System EN4023 10Gb Scalable Switch (CVE-2016-2108) ∗∗∗ --------------------------------------------- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=migr-5099625 ∗∗∗ Critical Patch Update - July 2017- Pre-Release Announcement ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html ∗∗∗ Apache mod_auth_digest Uninitialized Memory Error Lets Remote Users Obtain Potentially Sensitive Information and Deny Service ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038906 ∗∗∗ EMC ViPR SRM Default Accounts Let Remote Users Access the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038905 ∗∗∗ Pulse Connect Secure Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038880 ∗∗∗ SSA-589378 (Last Update 2017-07-13): Vulnerabilities in Android App SIMATIC Sm@rtClient ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-589378… ∗∗∗ SSA-874235 (Last Update 2017-07-13): Intel Vulnerability in Siemens Industrial Products ∗∗∗ --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2017
by Daily end-of-shift report 13 Jul '17

13 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-07-2017 18:00 − Donnerstag 13-07-2017 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Learning Pentesting with Metasploitable3: Exploiting WebDAV ∗∗∗ --------------------------------------------- Introduction: In the third part of this series, we discussed how to exploit Metasploitable3 using a vulnerability in Elasticsearch 1.1.1. As mentioned in one of the .. --------------------------------------------- http://resources.infosecinstitute.com/learning-pentesting-metasploitable3-e… ∗∗∗ Evolution of Conditional Spam Targeting Drupal Sites ∗∗∗ --------------------------------------------- Last year we took a look at how attackers were infecting Drupal installations to spread their spam and keep their campaigns going by just including a malicious file in each visitor’s session. If your Drupal site has been compromised, .. --------------------------------------------- https://blog.sucuri.net/2017/07/drupal-conditional-spam-evolved.html ∗∗∗ New Ransomware Threatens to Send Your Internet History & Private Pics to All Your Friends ∗∗∗ --------------------------------------------- After WannaCry and Petya ransomware outbreaks, a scary (but rather creative) new strain of ransomware is spreading via bogus apps on the Google Play Store, this time targeting Android mobile users. Dubbed LeakerLocker, the Android .. --------------------------------------------- https://thehackernews.com/2017/07/leakerlocker-android-ransomware.html ∗∗∗ The Rodeo: Scammer bauen falschen Tor-Browser für falschen Darknet-Marktplatz ∗∗∗ --------------------------------------------- Dieser angebliche Darknet-Marktplatz entpuppt sich als wilder Ritt: Die gekauften Waren kommen nie an und die ausgegebenen Bitcoins sind futsch. --------------------------------------------- https://heise.de/-3770979 ∗∗∗ 250 Euro Spar-Gutschein zu gewinnen? ∗∗∗ --------------------------------------------- WhatsApp-Nutzer/innen erhalten die Nachricht, dass sie einen 250 Euro Gutschein von Spar gewinnen können. Dafür sollen sie drei Fragen beantworten und das Gewinnspiel über WhatsApp teilen. Dafür gibt es den Gutschein .. --------------------------------------------- https://www.watchlist-internet.at/handy-abzocke/250-euro-spar-gutschein-zu-… ===================== = Advisories = ===================== ∗∗∗ SNMP Remote Code Execution Vulnerabilities in Cisco IOS and IOS XE Software ∗∗∗ --------------------------------------------- The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DFN-CERT-2017-1212/">Apache Software Foundation Struts: Zwei Schwachstelle ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1212/ ∗∗∗ DFN-CERT-2017-1214/">McAfee Advanced Threat Defence (ATD): Mehrere Schwachstellen ermöglichen u.a. Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1214/ ∗∗∗ Die Leier des Orpheus: Samba, Microsoft und andere fixen kritische Kerberos-Lücke ∗∗∗ --------------------------------------------- Durch einen simplen Fehler bei der Nutzung von Kerberos können sich Angreifer im Netz Zugriffsrechte auf Dienste wie Dateifreigaben erschleichen. Betroffen sind sowohl Windows- als auch Linux-Server beziehungsweise deren Clients. --------------------------------------------- https://heise.de/-3770761 ∗∗∗ SAP schließt Sicherheitslücken in Point-of-Sale-Software ∗∗∗ --------------------------------------------- SAP hat zehn Sicherheitsupdates veröffentlicht. Bei zwei davon schätzt die Firma die damit verbundene Gefahr als "hoch" ein. --------------------------------------------- https://heise.de/-3770849 ∗∗∗ Juniper Junos Default Credentials in SRX Series Integrated User Firewall Lets Remote Users Access the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038904 ∗∗∗ Juniper Junos SNMP Processing Bug Lets Remote Users Deny Service and Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038903 ∗∗∗ Juniper Junos Configuration Error Lets Remote Users Bypass Authentication and Access the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038902 ∗∗∗ BIG-IP PEM vulnerability CVE-2017-6144 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K81601350 ∗∗∗ iControl REST vulnerability CVE-2017-6145 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22317030 ∗∗∗ TMM SSL/TLS profile vulnerability CVE-2017-6141 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21154730 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2017
by Daily end-of-shift report 12 Jul '17

12 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-07-2017 18:00 − Mittwoch 12-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ NTLM Relay Attacks Still Causing Problems in 2017 ∗∗∗ --------------------------------------------- Microsofts July 2017 Patch Tuesday includes a fix for an issue with the NT LAN Manager (NTLM) Authentication Protocol that can be exploited to allow attackers to create admin accounts on a local networks domain controller (DC). [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ntlm-relay-attacks-still-cau… ∗∗∗ HTTPS: Private Schlüssel auf dem Webserver ∗∗∗ --------------------------------------------- Zu einem Zertifikat für verschlüsselte HTTPS-Verbindungen gehört ein privater Schlüssel. Doch was, wenn der Schlüssel auf dem Webserver landet - und dann nicht mehr privat ist? Wir fanden zahlreiche Webseiten, die ihren privaten Schlüssel zum Herunterladen anbieten. (SSL, Technologie) --------------------------------------------- https://www.golem.de/news/https-private-schluessel-auf-dem-webserver-1707-1… ∗∗∗ Telegram-Controlled Hacking Tool Targets SQL Injection at Scale ∗∗∗ --------------------------------------------- The Katyusha Scanner can find SQL injection bugs at scale, and is managed via the Telegram messenger on any smartphone. --------------------------------------------- http://threatpost.com/telegram-controlled-hacking-tool-targets-sql-injectio… ∗∗∗ July 2017 security update release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. By default, Windows 10 receives these updates automatically, and for customers running previous versions, we recommend they turn on automatic updates as a best practice. More information about this month’s security updates can be found on the Security Update Guide. MSRC team --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2017/07/11/july-2017-security-upda… ∗∗∗ Who Controls The Internet? ∗∗∗ --------------------------------------------- The title of the paper Who controls the Internet? Analyzing global threats using property traversal graphs is enough to ensnare any Internet researcher. The control plane for a number of attacks, as the paper points out, is the DNS due to the role it plays in mapping names to resources. MX records in the DNS control [...] --------------------------------------------- http://dyn.com/blog/who-controls-the-internet/ ∗∗∗ Julys Microsoft Patch Tuesday, (Tue, Jul 11th) ∗∗∗ --------------------------------------------- TodaysMicrosoft Patch Tuesdayfixes critical and important flaws that, if exploited, could give an attacker a range of possibilities - from privilege escalation to remote code execution (RCE) - on different Windows OS and Microsoft Office versions. --------------------------------------------- https://isc.sans.edu/diary/rss/22602 ∗∗∗ Backup Scripts, the FIM of the Poor, (Wed, Jul 12th) ∗∗∗ --------------------------------------------- File Integrity Management or FIM is an interesting security control that can help to detect unusual changes in a file system. By example, on a server, they are directories that do not change often. --------------------------------------------- https://isc.sans.edu/diary/rss/22606 ∗∗∗ Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers ∗∗∗ --------------------------------------------- Customer-premises equipment (CPE)—specifically small office/home office (SOHO) routers—has become ubiquitous. CPE routers are notorious for their web interface vulnerabilities, old versions of software components with known vulnerabilities, default and hard-coded credentials, and other security issues. --------------------------------------------- http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=502613 ∗∗∗ What will it take to improve the ICS patch process? ∗∗∗ --------------------------------------------- While regular patching is indisputably good advice for IT networks, one of the main takeaways from the Petya and WannaCry attacks is that a lot of companies don’t do it. And with even more NSA exploits like EternalBlue scheduled to be released by The Shadow Brokers (TSB), it’s certainly not going to get any better. Patching IT systems is hard enough, but it’s even more difficult to patch industrial control systems (ICS), commonly found in [...] --------------------------------------------- https://www.helpnetsecurity.com/2017/07/12/ics-patch-process/ ===================== = Advisories = ===================== ∗∗∗ Security Update for Windows Kernel (3186973) ∗∗∗ --------------------------------------------- V1.0 (September 13, 2016): Bulletin published. V2.0 (July 11, 2017): Revised Windows Affected Software and Vulnerability Severity Ratings table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3305. Microsoft recommends that customers running Windows 10 Version 1703 should install update 4025342 to be protected from this vulnerability. --------------------------------------------- https://technet.microsoft.com/en-us/library/security/MS16-111 ∗∗∗ [2017-07-12] Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products ∗∗∗ --------------------------------------------- The AGFEO ES 5xx/6xx SmartHome product lines are prone to multiple critical vulnerabilities. It is possible to read the whole user database by an active debug web service in order to reveal all passwords even from the administrative account. Furthermore, many debug services are active which enable an attacker to reconfigure the whole device without such administrative permissions. A hardcoded cryptographic key pair is embedded in the firmware which is used for HTTPS communication. Those keys [...] --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017… ∗∗∗ Fuji Electric V-Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-02 ∗∗∗ ABB VSN300 WiFi Logger Card ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-03 ∗∗∗ OSIsoft PI Coresight ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-04 ∗∗∗ Schweitzer Engineering Laboratories, Inc. SEL-3620 and SEL-3622 ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-06 ∗∗∗ OSIsoft PI ProcessBook and PI ActiveView ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-192-05 ∗∗∗ NetIQ Privileged Account Manager 3.1 Patch Update 3 (3.1.0.3) ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=MtsbTyzebZw~ ∗∗∗ DFN-CERT-2017-1206/">FreeBSD, Heimdal: Eine Schwachstelle ermöglicht die vollständige Kompromittierung des Dienstes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1206/ ∗∗∗ Security Advisory - Directory Traversal Vulnerability in Push Module of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-… ∗∗∗ Security Advisory - Escalation of Privilege Vulnerability in Intel AMT, Intel ISM and Intel SMT ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Push Module of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170712-… ∗∗∗ IBM Security Bulletin: Daeja ViewONE arbitrary files can be accessed ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003806 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004602 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects Rational Functional Tester (CVE-2017-3511, CVE-2017-3514, CVE-2017-3539) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005085 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in zlib affects IBM Common Inventory Technology (CIT) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005841 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities addressed in the IBM Emptoris Sourcing product (CVE-2017-1447, CVE-2017-1449, CVE-2017-1450, CVE-2017-1444) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005834 ∗∗∗ IBM Security Bulletin: Vulnerability in account lockout affects IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x (CVE-2016-8964) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21995024 ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- http://support.podc.sl.edst.ibm.com/support/home/docdisplay?lndocid=MIGR-50… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities addressed in IBM Emptoris Strategic Supply Management (CVE-2016-6019, CVE-2016-8951, CVE-2016-8952 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005839 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM WebSphere MQ (CVE-2016-3485 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22001630 ∗∗∗ JSA10806 - 2017-07 Security Bulletin: Junos OS: SRX Series: Cluster configuration synch failures occur if the root user account is locked out (CVE-2017-10604) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10806&actp=RSS ∗∗∗ JSA10775 - 2017-07 Security Bulletin: OpenSSL Security Advisory [26 Jan 2017] ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10775&actp=RSS ∗∗∗ JSA10779 - 2017-07 Security Bulletin: Junos: RPD crash due to malformed BGP OPEN message (CVE-2017-2314) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10779&actp=RSS ∗∗∗ JSA10782 - 2017-07 Security Bulletin: ScreenOS: Multiple XSS vulnerabilities in ScreenOS Firewall ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10782&actp=RSS ∗∗∗ JSA10787 - 2017-07 Security Bulletin: Junos: VM to host privilege escalation in platforms with Junos OS running in a virtualized environment. (CVE-2017-2341) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10787&actp=RSS ∗∗∗ JSA10789 - 2017-07 Security Bulletin: Junos: SRX Series denial of service vulnerability in flowd due to crafted DHCP packet (CVE-2017-10605) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10789&actp=RSS ∗∗∗ JSA10790 - 2017-07 Security Bulletin: SRX Series: MACsec failure to report errors (CVE-2017-2342) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10790&actp=RSS ∗∗∗ JSA10791 - 2017-07 Security Bulletin: SRX Series: Hardcoded credentials in Integrated UserFW feature. (CVE-2017-2343) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10791&actp=RSS ∗∗∗ JSA10792 - 2017-07 Security Bulletin: Junos: Buffer overflow in sockets library (CVE-2017-2344) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10792&actp=RSS ∗∗∗ JSA10793 - 2017-07 Security Bulletin: Junos: snmpd denial of service upon receipt of crafted SNMP packet (CVE-2017-2345) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10793&actp=RSS ∗∗∗ JSA10794 - 2017-07 Security Bulletin: MS-MPC or MS-MIC crash when passing large fragmented traffic through an ALG (CVE-2017-2346) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10794&actp=RSS ∗∗∗ JSA10797 - 2017-07 Security Bulletin: Junos OS: Incorrect argument handling in sendmsg() affects Junos OS (CVE-2016-1887) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10797&actp=RSS ∗∗∗ HPE Performance Center Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038868 ∗∗∗ HPE LoadRunner Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038867 ∗∗∗ Linux kernel vulnerability CVE-2017-1000365 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15412203 ∗∗∗ Linux kernel vulnerability CVE-2016-8399 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23030550 ∗∗∗ IPv6 fragmentation vulnerability CVE-2016-10142 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K57211290 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2017
by Daily end-of-shift report 11 Jul '17

11 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Montag 10-07-2017 18:00 − Dienstag 11-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ Security Bulletins posted for Adobe Flash Player and Adobe Connect ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB17-21) and Adobe Connect (APSB17-22). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. This posting is provided “AS IS” with no [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1474 ∗∗∗ Exploiting Windows Authentication Protocols: Introduction ∗∗∗ --------------------------------------------- SMB relay attack Exploiting the weak Windows authentication protocols is on the top of the list for any adversary, because it mostly relies on a design flaw in the protocol itself, moreover, it is easy and could allow the adversary to get access to remote systems with almost no alert from most systems such as [...] --------------------------------------------- http://resources.infosecinstitute.com/exploiting-windows-authentication-pro… ∗∗∗ A Computational Complexity Attack against Racoon and ISAKMP Fragmentation ∗∗∗ --------------------------------------------- Trustwave recently reported a remotely exploitable computational complexity vulnerability in the racoon isakmp daemon that is part of the ipsec-tools open-source project (http://ipsec-tools.sourceforge.net/). The vulnerability is present in the handling of fragmented packets. A computational complexity attack seeks to cause [...] --------------------------------------------- http://trustwave.com/Resources/SpiderLabs-Blog/A-Computational-Complexity-A… ∗∗∗ Verschlüsselung knackbar: Hoffnung für (manche) NotPetya-Opfer ∗∗∗ --------------------------------------------- Die Entwickler des Verschlüsselungstrojaners NotPetya haben entscheidende Fehler bei der Umsetzung ihrer Verschlüsselung gemacht. Unter bestimmten Umständen lässt sich diese knacken. Automatische Tools wird es aber wohl erst einmal nicht geben. --------------------------------------------- https://heise.de/-3768889 ∗∗∗ SambaCry bedroht HPE-NonStop-Server ∗∗∗ --------------------------------------------- Das NonStopOS von Hewlett Packards NonStop-Serversystemen ist anfällig für Angriffe über die SambaCry-Lücke. Die Firma empfiehlt, entsprechende Workarounds umzusetzen, bis Patches bereit stehen. --------------------------------------------- https://heise.de/-3769117 ∗∗∗ Learning PowerShell: The basics ∗∗∗ --------------------------------------------- Get acquainted with some of the basic principles of Powershell and get prepared for some basic usage of this versatile tool that is available on all modern Windows systems. --------------------------------------------- https://blog.malwarebytes.com/101/how-tos/2017/07/learning-powershell-the-b… ∗∗∗ SAP Security Patch Day – July 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...] --------------------------------------------- https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/ ===================== = Advisories = ===================== ∗∗∗ Schneider Electric Pelco Sarix/Spectra Cameras Root Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070080 ∗∗∗ Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070076 ∗∗∗ DFN-CERT-2017-1193: Sophos UTM: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1193/ ∗∗∗ HPESBNS03755 rev.1 - HPE NonStop Server using Samba, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=e… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004729 ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance invalid requests cause denial of service to SDR and CLUSSDR channels (CVE-2017-1285) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22003856 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Cast Iron ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005610 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Emptoris Spend Analysis product (CVE-2017-1445, CVE-2017-1446) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005787 ∗∗∗ IBM Security Bulletin:Multiple vulnerabilities in the IBM Emptoris Services Procurement product ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005550 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM Emptoris Sourcing product ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005549 ∗∗∗ IBM Security Bulletin: Apache PDFBox affects IBM Emptoris Contract Management (CVE-2016-2175) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22005591 ∗∗∗ SQL Injection in extension "Content Rating Extbase" (content_rating_extbase) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/sql-injection-in-extension-content-rating-ex… ∗∗∗ Remote Code Execution in extension "PHPMailer" (bb_phpmailer) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/remote-code-execution-in-extension-phpmailer… ∗∗∗ Remote Code Execution in extension "AH Sendmail" (ah_sendmail) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/remote-code-execution-in-extension-ah-sendma… ∗∗∗ Remote Code Execution in extension "Maag Sendmail" (maag_sendmail) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/remote-code-execution-in-extension-maag-send… ∗∗∗ SQL Injection in extension "Faceted Search" (ke_search) ∗∗∗ --------------------------------------------- https://typo3.org/news/article/sql-injection-in-extension-faceted-search-ke… ∗∗∗ Linux kernel vulnerability CVE-2017-1000364 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51931024 ∗∗∗ Linux kernel vulnerability CVE-2017-1000366 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20486351 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2017
by Daily end-of-shift report 10 Jul '17

10 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-07-2017 18:00 − Montag 10-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ A VBScript with Obfuscated Base64 Data, (Sat, Jul 8th) ∗∗∗ --------------------------------------------- A few months ago, I posted a diary to explain how to search for (malicious) PE files in Base64 data[1]. Base64 is indeed a common way to distribute binary content in an ASCII form. There are plenty of scripts based on this technique. On my Macbook, Im using width:800px [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22590 ∗∗∗ Adversary hunting with SOF-ELK, (Sun, Jul 9th) ∗∗∗ --------------------------------------------- As we recently celebrated Independence Day in the U.S., Im reminded that we honor what was, of course, an armed conflict. Todays realities, when we think about conflict, are quite different than the days of lining troops up across the field from each other, loading muskets, and flinging balls of lead into the fray. We live in a world of asymmetrical battles, often conflicts that arent always obvious in purpose and intent, and likely fought on multiple fronts. For one of the best reads on the [...] --------------------------------------------- https://isc.sans.edu/diary/rss/22592 ∗∗∗ 94 .ch & .li domain names hijacked and used for drive-by ∗∗∗ --------------------------------------------- A Swiss domain holder called us today telling us that the .ch zone points to the wrong name servers for his domain. The NS entries were ns1.dnshost[.]ga and ns2.dnshost[.]ga. We contacted the registrar and soon realized that this is not the [...] --------------------------------------------- https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-an… ∗∗∗ BSI warnt Unternehmen gezielt vor akutem Risiko durch CEO Fraud ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2017/CEO_Fraud_1… ∗∗∗ Attack on Critical Infrastructure Leverages Template Injection ∗∗∗ --------------------------------------------- Contributors: Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall Executive SummaryAttackers are continually trying to find new ways to target users with malware sent via email. Talos has identified an email-based attack targeting the energy sector, including nuclear power, that puts a new spin on the classic word document attachment phish. Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro [...] --------------------------------------------- http://blog.talosintelligence.com/2017/07/template-injection.html ===================== = Advisories = ===================== ∗∗∗ Microsoft .NET Privilege Escalation ∗∗∗ --------------------------------------------- Topic: Microsoft .NET Privilege Escalation Risk: Medium Text:Hi @ll, all versions of .NET Framework support to load a COM object as code profiler, enabled via two or three environment ... --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070067 ∗∗∗ DSA-3905 xorg-server - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3905 ∗∗∗ Petya Malware Variant (Update C) ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01C ∗∗∗ iManager 3.0.3 Patch 2 (3.0.3.2) ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=KhPP8lJyDik~ ∗∗∗ DFN-CERT-2017-1188: SQLite: Eine Schwachstelle ermöglicht u.a. das Ausspähen von Informationen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1188/ ∗∗∗ DFN-CERT-2017-1187: Apache Software Foundation Struts: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1187/ ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server for Bluemix April 2017 CPU ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22004278 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Performance Tester. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004418 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Service Tester. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22004419 ∗∗∗ EMC Data Protection Advisor Input Validation Flaws Let Remote Authenticated Users Obtain Potentially Sensitive Information and Inject SQL Commands ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038841 ∗∗∗ EMC Secure Remote Services (ESRS) Policy Manager Undocumented Account With Default Password Lets Remote Users Access the Target System ∗∗∗ --------------------------------------------- -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2017
by Daily end-of-shift report 07 Jul '17

07 Jul '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-07-2017 18:00 − Freitag 07-07-2017 18:00 Handler: Stephan Richter Co-Handler: ===================== = News = ===================== ∗∗∗ CIA Malware Can Steal SSH Credentials, Session Traffic ∗∗∗ --------------------------------------------- WikiLeaks dumped today the documentation of two CIA hacking tools codenamed BothanSpy and Gyrfalcon, both designed to steal SSH credentials from Windows and Linux systems, respectively. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security /cia-malware-can-steal-ssh-credentials-session-traffic/ ∗∗∗ ZIP Bombs Can Protect Websites From Getting Hacked ∗∗∗ --------------------------------------------- Webmasters can use so-called ZIP bombs to crash a hackers vulnerability and port scanner and prevent him from gaining access to their website. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security /zip-bombs-can-protect-websites-from-getting-hacked/ ∗∗∗ IT und Energiewende: Stromnetzbetreiber fordern das ganz große Lastmanagement ∗∗∗ --------------------------------------------- Silizium statt Kupfer und Stahl: Die Energiewende und die Elektromobilität erfordern einen Ausbau des Stromnetzes. Doch die Netzbetreiber setzen lieber auf Digitalisierung und "Flexibilisierung". Stromlieferanten wollen sich gegen die Bevormundung wehren. (Smart Grid, GreenIT) --------------------------------------------- https://www.golem.de/news /it-und-energiewende-stromnetzbetreiber-fordern-das-ganz-grosse-last management-1707-128779-rss.html ∗∗∗ Decryption Key to Original Petya Ransomware Released ∗∗∗ --------------------------------------------- The key to decrypt the original Petya ransomware has been reportedly released by the ransomware’s author. --------------------------------------------- http://threatpost.com /decryption-key-to-original-petya-ransomware-released/126705/ ∗∗∗ Someones phishing US nuke power stations. So far, no kaboom ∗∗∗ --------------------------------------------- Stuxnet, this aint Dont panic, but attackers are trying to phish their way into machines in various US power facilities, including nuclear power station operators. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/071/07 /someones_phishing_us_nuke_power_stations_so_far_no_kaboom/ ∗∗∗ Lets not help attackers by spreading fear, uncertainty and doubt ∗∗∗ --------------------------------------------- Spreading FUD in the wake of cyber-attacks is never a good idea. But its even worse when this might be one of the attackers implicit goals. --------------------------------------------- https://www.virusbulletin.com:443/blog/2017/07 /lets-not-help-attackers-spreading-fear-uncertainty-and-doubt/ ∗∗∗ Hacker-Sammlung gefunden: 500 Mio. E-Mail-Adressen und Passwörter betroffen ∗∗∗ --------------------------------------------- Das Bundeskriminalamt hat in einer Underground-Economy-Plattform im Internet eine Sammlung von ca. 500.000.000 ausgespähten Zugangsdaten gefunden. Die Daten bestehen aus Email-Adressen mit dazugehörigen Passwörtern. Vermutlich stammen die Daten von verschiedenen Hacking-Angriffen und wurden über einen längeren Zeitraum zusammengetragen. Die aktuellsten ausgespähten Zugangsdaten sind wahrscheinlich aus Dezember 2016. --------------------------------------------- https://www.bka.de/SharedDocs/Kurzmeldungen/DE/Kurzmeldungen /170705_HackerSammlung.html ∗∗∗ Abgesicherte PHP-Versionen erschienen ∗∗∗ --------------------------------------------- Trotz der Möglichkeit von Angreifern Schadcode ausführen zu können, gilt der Bedrohungsgrad nicht als kritisch. --------------------------------------------- https://heise.de/-3766935 ∗∗∗ Android-Mega-Patch: Google schließt haufenweise kritische Lücken ∗∗∗ --------------------------------------------- Unter anderem werden Lücken in WLAN-Chipsets von Broadcom geschlossen, die Angreifern das Ausführen von Code mittels manipulierter Wifi-Pakete erlauben. Auch für Android 4.4 (KitKat) sind Patches dabei. --------------------------------------------- https://heise.de/-3767103 ∗∗∗ New Ransomware Variant "Nyetya" Compromises Systems Worldwide ∗∗∗ --------------------------------------------- Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated as research continues.Update 2017-07-06 12:30 EDT: Updated to explain the modified DoublePulsar backdoor.Since the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the proliferation of malware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took advantage of a vulnerability in [...] --------------------------------------------- http://blog.talosintelligence.com/2017/06 /worldwide-ransomware-variant.html ===================== = Advisories = ===================== ∗∗∗ Schneider Electric Wonderware ArchestrA Logger ∗∗∗ --------------------------------------------- This advisory contains mitigation details for stack-based buffer overflow, uncontrolled resource consumption, and null pointer deference vulnerabilities in Schneider Electric’s Wonderware ArchestrA Logger. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-187-04 ∗∗∗ Schneider Electric Ampla MES ∗∗∗ --------------------------------------------- This advisory contains mitigation details for cleartext transmission of sensitive information and inadequate encryption strength vulnerabilities in Schneider Electric’s Ampla MES. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-187-05 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Credential Disclosure ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070056 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Support Tunnel Hijack ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070060 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Username / Session ID Leak ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070059 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Early Boot Root Shell ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070058 ∗∗∗ Barracuda WAF V360 Firmware 8.0.1.014 Grub Password Complexity ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2017070057 ∗∗∗ Bugtraq: KL-001-2017-015 : Solarwinds LEM Hardcoded Credentials ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/540812 ∗∗∗ Bugtraq: [SYSS-2017-011] Office 365: Insufficient Session Expiration (CWE-613) ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/540814 ∗∗∗ iManager 2.7 Support Pack 7 - Patch 10 Hotfix 2 ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=WeEb4PchpTU~ ∗∗∗ eDirectory 8.8 SP8 Patch 10 ∗∗∗ --------------------------------------------- https://download.novell.com/Download?buildid=VYtYu65T21Y~ ∗∗∗ IBM Security Bulletin: IBM MQ Java/JMS application can incorrectly flow password in plain text. (CVE-2017-1337) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003853 ∗∗∗ IBM Security Bulletin: IBM MQ Passwords specified by MQ java or JMS applications can appear in WebSphere Application Server trace. (CVE-2017-1284) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003851 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server and Tivoli Netcool Performance Manager October 2016 and January 2017 CPU (multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005615 ∗∗∗ IBM Security Bulletin: Vulnerabilities in tcpdump affect AIX ∗∗∗ --------------------------------------------- http://aix.software.ibm.com/aix/efixes/security/tcpdump_advisory2.asc ∗∗∗ PHP Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1038837 ∗∗∗ systemd vulnerability CVE-2017-9445 ∗∗∗ ---------------------------------------------

1 0

Tageszusammenfassung - Donnerstag 6-07-2017
by Daily end-of-shift report 06 Jul '17

06 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 05-07-2017 18:00 − Donnerstag 06-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Decryptor Released for the Mole02 CryptoMix Ransomware Variant *** --------------------------------------------- It is always great to be able to announce a free decryptor for victims who have had their files encrypted by a ransomware. This is the case today, where a decryptor for the Mole02 cryptomix variant was released. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-m… *** Evolution of Conditional Spam Targeting Drupal Sites *** --------------------------------------------- Last year we took a look at how attackers were infecting Drupal installations to spread their spam and keep their campaigns going by just including a malicious file in each visitor's session. It's quite common for attackers to evolve their techniques and add new variations of hidden backdoors to make it harder to get rid of the infection. These evasion and reinfection techniques can also make it difficult to modify the malicious code, which is what has exactly happened in this case, [...] --------------------------------------------- https://blog.sucuri.net/2017/07/drupal-conditional-spam-evolved.html *** New BTCWare Ransomware Decrypter Released for the Master Variant *** --------------------------------------------- Security researcher Michael Gillespie has released a new version of the BTCWare ransomware decrypter after the author of the eponymous ransomware has leaked the private key for his latest version. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-btcware-ransomware-decry… *** Sicherheitsupdates: Cisco kämpft gegen statische und unverschlüsselte Zugangsdaten *** --------------------------------------------- Der Netzwerkausrüster stopft zum Teil kritische Sicherheitslücken in seinem Elastic Services Controller und seinem Ultra Services Framework. --------------------------------------------- https://heise.de/-3765238 *** M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013 *** --------------------------------------------- Servers and infrastructure belonging to Intellect Service, the company behind the M.E.Doc accounting software, were grossly mismanaged, being left without updates since 2013, and getting backdoored on three separate occasions during the past three months. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoo… *** The MeDoc Connection *** --------------------------------------------- The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was [...] --------------------------------------------- http://blog.talosintelligence.com/2017/07/the-medoc-connection.html *** Fritzbox-Lücke erlaubt delikate Einblicke ins lokale Netz *** --------------------------------------------- Durch ein Informationsleck können Webseiten offenbar viele Details über das Heimnetz eines Fritzbox-Nutzers erfahren. Zu den abfischbaren Daten zählen die Netzwerknamen aller Clients, IP- und Mac-Adresssen und die eindeutige ID der Fritzbox. --------------------------------------------- https://heise.de/-3764885 *** FIRST announces release of Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure *** --------------------------------------------- The Forum of Incident Response and Security Teams announces the release of a set of guidelines and norms for vulnerability disclosure that affects multiple parties. --------------------------------------------- https://www.first.org/newsroom/releases/20170706 *** APWG Global Phishing Survey 2016: Trends and Domain Name Use *** --------------------------------------------- This report comprehensively examines a large data set of more than 250,000 phishing attacks detected in 2015 and 2016. By quantifying this cybercrime activity and understanding the patterns that lurk therein, we have learned more about what phishers have been doing, and how they have accomplished their schemes. --------------------------------------------- https://apwg.org/resources/apwg-reports/domain-use-and-trends https://docs.apwg.org/reports/APWG_Global_Phishing_Report_2015-2016.pdf *** Gefälschte Anwaltsschreiben verbreiten Schadsoftware *** --------------------------------------------- In gefälschten Anwaltsschreiben behaupten Kriminelle, dass Adressat/innen Schulden bei einem Unternehmen haben. Weiterführende Informationen zu der offenen Geldforderung sollen sich im Dateianhang der Nachricht finden. In Wahrheit verbirgt er Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/gefaelschte-rechnungen/gefaelschte-anwalt… *** BadGPO - Using Group Policy Objects for Persistence and Lateral Movement *** --------------------------------------------- [...] Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. --------------------------------------------- http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_052_Willi_… *** ZDI-17-452: (0Day) Advantech WebOP Designer Project File Heap Buffer Overflow Remote Code Execution Vulnerability *** --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebOP Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-17-452/ *** Android Security Bulletin July 2017 *** --------------------------------------------- https://source.android.com/security/bulletin/2017-07-01.html *** BlackBerry powered by Android Security Bulletin July 2017 *** --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… *** Petya Malware Variant (Update B) *** --------------------------------------------- This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-181-01A Petya Ransomware Variant that was published July 3, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk [...] --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01B *** rsyslog: remote syslog PRI vulnerability CVE-2014-3634 *** --------------------------------------------- rsyslog: remote syslog PRI vulnerability CVE-2014-3634. Security Advisory. Security Advisory Description. rsyslog before ... --------------------------------------------- https://support.f5.com/csp/article/K42903299 *** DFN-CERT-2017-1171: LibTIFF: Mehrere Schwachstellen ermöglichen Denial-of-Service-Angriffe *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1171/ *** Security Advisories for Drupal Third-Party Modules *** --------------------------------------------- *** SMTP - Moderately Critical - Information Disclosure - SA-CONTRIB-2017-055 *** https://www.drupal.org/node/2890357 --------------------------------------------- *** DrupalChat - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-057 *** https://www.drupal.org/node/2892404 --------------------------------------------- *** OAuth - Critical - Access Bypass - SA-CONTRIB-2017-056 *** https://www.drupal.org/node/2892400 --------------------------------------------- *** IBM Security Bulletins *** --------------------------------------------- *** IBM Security Bulletin: A Security vulnerability in IBM Java SDK affects IBM Tivoli System Automation for Multiplatforms (CVE-2017-1289). *** http://www.ibm.com/support/docview.wss?uid=swg22005058 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www-01.ibm.com/support/docview.wss?uid=swg22002336 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) *** http://www.ibm.com/support/docview.wss?uid=swg22002335 --------------------------------------------- *** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand *** http://www-01.ibm.com/support/docview.wss?uid=swg22000488 --------------------------------------------- *** Siemens Security Advisories *** --------------------------------------------- *** SSA-804859 (Last Update 2017-07-06): Denial of Service Vulnerability in SIMATIC Logon *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-804859… --------------------------------------------- *** SSA-874235 (Last Update 2017-07-06): Intel Vulnerability in Siemens Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-874235… --------------------------------------------- *** SSA-275839 (Last Update 2017-07-06): Denial-of-Service Vulnerability in Industrial Products *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839… --------------------------------------------- *** SSA-931064 (Last Update 2017-07-06): Authentication Bypass in SIMATIC Logon *** https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-931064… --------------------------------------------- *** Cisco Security Advisories *** --------------------------------------------- *** Cisco Nexus Series Switches Telnet CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Nexus Series Switches CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco FireSIGHT System Software Arbitrary Code Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wide Area Application Services Central Manager Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Wide Area Application Services Core Dump Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework Staging Server Arbitrary Command Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework AutoVNF Log File User Credential Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework AutoVNF Symbolic Link Handling Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Ultra Services Framework UAS Unauthenticated Access Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco StarOS Border Gateway Protocol Process Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Network Privilege Escalation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Identity Services Engine Guest Portal Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XR Software Multicast Source Discovery Protocol Session Denial of Service Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco IOS XR Software Incorrect Permissions Privilege Escalation Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Elastic Services Controller Unauthorized Access Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Elastic Services Controller Arbitrary Command Execution Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco Prime Network Information Disclosure Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… --------------------------------------------- *** Cisco StarOS CLI Command Injection Vulnerability *** https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ---------------------------------------------

1 0

Tageszusammenfassung - Mittwoch 5-07-2017
by Daily end-of-shift report 05 Jul '17

05 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 04-07-2017 18:00 − Mittwoch 05-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** #NoPetya-Attacke hinterließ Sicherheitslücke *** --------------------------------------------- Der weltweite Cyberangriff in der vergangenen Woche hat schwerwiegendere Folgen als bislang bekannt. --------------------------------------------- https://futurezone.at/digital-life/nopetya-attacke-hinterliess-sicherheitsl… *** Cyber-Attacke NotPetya: Angebliche Angreifer wollen 250.000 Euro für Datenrettung *** --------------------------------------------- Die mutmaßlichen Entwickler der Schadsoftware NotPetya wollen gegen 100 Bitcoin (fast 250.000 Euro) einen Schlüssel herausgeben, mit dem die Daten zu retten sein sollen. Ob sie Wort halten, ist unklar. Beobachter vermuten andere Motive hinter der Wendung. --------------------------------------------- https://heise.de/-3764208 *** Ukrainian Police Seize Servers From Where NotPetya Outbreak First Spread *** --------------------------------------------- Ukrainian Police announced today it seized the servers from where the NotPetya ransomware outbreak first started to spread. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ukrainian-police-seize-serve… *** The day a mysterious cyber-attack crippled Ukraine *** --------------------------------------------- On the morning of Tuesday, 27 June, Oleh Derevianko, the head of Kiev-based cybersecurity firm Information Security Systems Partners (ISSP), was at Bessarabska market, a popular food market in the heart of downtown. Derevianko was picking up a few things before heading out for the 300km drive to his parents' village. Wednesday was constitution day in Ukraine, a national holiday, and he'd be using the mid-week break to spend a couple days with his kids. --------------------------------------------- http://www.bbc.com/future/story/20170704-the-day-a-mysterious-cyber-attack-… *** NotPetya Group Moves All Their Bitcoin, Posts Proposition on the Dark Web *** --------------------------------------------- The person or group behind the NotPetya ransomware has made its first move since the outbreak that took place eight days ago. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/notpetya-group-moves-all-the… *** Doctor Web: M.E.Doc backdoor lets cybercriminals access computers *** --------------------------------------------- July 4, 2017 Doctor Web security researchers examined the update module M.E.Doc and discovered that it is involved in the distribution of at least one other malicious program. You may recall that independent researchers named specifically this M.E.Doc update module as the source of the recent outbreak of the encryption worm Trojan.Encoder.12544, also known as NePetya, Petya.A, ExPetya and WannaCry-2. M.E.Doc is tax accounting software that is popular in Ukraine. --------------------------------------------- http://news.drweb.com/show/?i=11363&lng=en&c=9 *** Qubes OS im Test: Linux sicher und nutzerfreundlich? *** --------------------------------------------- Anwendungen und Einsatzbereiche voneinander per Virtualisierung trennen, gleichzeitig eine für den regulären Nutzer einfach zu bedienende Desktop-Oberfläche bieten: Das Qubes-OS-Projekt hat sich einiges vorgenommen. --------------------------------------------- https://heise.de/-3764500 *** Österreich im Bereich Cybersicherheit auf Platz 30 *** --------------------------------------------- Große Industriestaaten schneiden bei der Cybersicherheit einer UN-Studie zufolge teils schlechter ab als einige deutlich ärmere Staaten. --------------------------------------------- https://futurezone.at/digital-life/oesterreich-im-bereich-cybersicherheit-a… *** Introducing Linux Support for FakeNet-NG: FLARE's Next GenerationDynamic Network Analysis Tool *** --------------------------------------------- Introduction In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware analysis and reverse engineering. Since FakeNet-NG's release, FLARE has added support for additional protocols. FakeNet-NG now has out-of-the-box support for DNS, HTTP (including BITS), FTP, TFTP, [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2017/07/linux-support-for-faken… *** The Hardware Forensic Database *** --------------------------------------------- The Hardware Forensic Database (or HFDB) is a project of CERT-UBIK aiming at providing a collaborative knowledge base related to IoT Forensic methodologies and tools. --------------------------------------------- http://hfdb.io/ *** Kundendaten: Datenleck bei der Deutschen Post *** --------------------------------------------- Eine Datenbank mit 200.000 Umzugsmitteilungen der Post lag ungeschützt im Netz. Tausende andere Firmen aus aller Welt haben exakt den gleichen Fehler gemacht. --------------------------------------------- https://www.golem.de/news/kundendaten-datenleck-bei-der-deutschen-post-1707… *** Vulnerability Spotlight: Dell Precision Optimizer and Invincea Vulnerabilities *** --------------------------------------------- Talos are releasing advisories for vulnerabilities in the Dell Precision Optimizer application service software, Invincea-X and Invincea Dell Protected Workspace. These packages are pre-installed on certain Dell systems. Vulnerabilities present in these applications could allow attackers to disable security mechanisms, escalate privileges and execute arbitrary code within the context of the application user. --------------------------------------------- http://blog.talosintelligence.com/2017/06/vulnerability-spotlight-dell-prec… *** Security Advisory - DoS Vulnerability in TLS of Some Huawei Products *** --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170705-… *** rt-sa-2017-011 *** --------------------------------------------- Remote Command Execution in PDNS Manager --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2017-011.txt *** DFN-CERT-2017-1159: Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1159/ *** IBM Security Bulletin: Incorrect saved channel status enquiry could cause denial of service for IBM MQ (CVE-2017-1236) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22003510 *** IBM Security Bulletin: Vulnerabilities in OpenSSL affect Tivoli Provisioning Manager for OS Deployment and Tivoli Provisioning Manager for Images *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22005108 *** IBM Security Bulletin: RabbitMQ vulnerability affect IBM Cloud Manager with OpenStack (CVE-2015-8786) *** --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1025403

1 0

Tageszusammenfassung - Dienstag 4-07-2017
by Daily end-of-shift report 04 Jul '17

04 Jul '17

======================= = End-of-Shift report = ======================= Timeframe: Montag 03-07-2017 18:00 − Dienstag 04-07-2017 18:00 Handler: Stephan Richter Co-Handler: n/a *** Yet more reasons to disagree with experts on nPetya *** --------------------------------------------- In WW II, they looked at planes returning from bombing missions that were shot full of holes. Their natural conclusion was to add more armor to the sections that were damaged, to protect them in the future. But wait, said the statisticians. The original damage is likely spread evenly across the plane. Damage on returning planes indicates where they could damage and still return. The undamaged areas are where they were hit and couldnt return. Thus, its the undamaged areas you need to [...] --------------------------------------------- http://blog.erratasec.com/2017/07/yet-more-reasons-to-disagree-with.html *** Analysis of TeleBots cunning backdoor *** --------------------------------------------- On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors' intention was to cause damage, so they did all that they could to make data decryption very unlikely. --------------------------------------------- https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-back… *** GnuPG crypto library cracked, look for patches *** --------------------------------------------- Boffins bust libgcrypt via side-channel Linux users need to check out their distributions to see if a nasty bug in libgcrypt20 has been patched. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/07/04/gnupg_crypt… *** Cryptology ePrint Archive: Report 2017/627 *** --------------------------------------------- Sliding right into disaster: Left-to-right sliding windows leak Abstract: It is well known that constant-time implementations of modular exponentiation cannot use sliding windows. However, software libraries such as Libgcrypt, used by GnuPG, continue to use sliding windows. It is widely believed that, even if the complete pattern of squarings and multiplications is observed through a side-channel attack, the number of exponent bits leaked is not sufficient to carry out a full key-recovery [...] --------------------------------------------- https://eprint.iacr.org/2017/627 *** ERCIM News 110 published - Special theme "Blockchain Engineering" *** --------------------------------------------- The ERCIM News No. 110 has just been published at with a special theme on "Blockchain Engineering". SBA Research contributes two articles in this issue. The first article is by Aljosha Judmayer, Alexei Zamyatin, Nicholas Stifter and Edgar Weippl on [...] --------------------------------------------- https://www.sba-research.org/2017/07/03/ercim-news-110-published-special-th… *** Joomla! 3.7.3 Release *** --------------------------------------------- Security Issues Fixed Core - Information Disclosure (affecting Joomla 1.7.3-3.7.2) Core - XSS Vulnerability (affecting Joomla 1.7.3-3.7.2) Core - XSS Vulnerability (affecting Joomla 1.5.0-3.6.5) --------------------------------------------- https://www.joomla.org/announcements/release-news/5709-joomla-3-7-3-release… *** Petya Malware Variant (Update A) *** --------------------------------------------- This updated alert is a follow-up to the original alert titled ICS-ALERT-17-181-01 Petya Ransomware Variant that was published June 30, 2017, on the NCCIC/ICS-CERT web site. ICS-CERT is aware of reports of a variant of the Petya malware that is affecting several countries. ICS-CERT is releasing this alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk --------------------------------------------- https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01A *** RSA Archer eGRC Multiple Flaws Let Remote Users Conduct Cross-Site Scripting, Cross-Site Request Forgery, and Open Redirect Attacks and Let Remote Authenticated Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1038815 *** DFN-CERT-2017-1145: Apache Subversion: Eine Schwachstelle ermöglicht die Manipulation von Daten *** --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1145/ *** SSA-563539 (Last Update: 2017-07-04): Vulnerabilities in OZW672 and OZW772 *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-563539… *** SSA-323211 (Last Update: 2017-07-04): Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Devices *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-323211… *** SSA-452237 (Last Update: 2017-07-04): Vulnerabilities in Reyrolle *** --------------------------------------------- https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-452237… *** IBM Security Bulletin: Weak Cipher available in IBM API Connect (CVE-2015-2808) *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22003868 *** IBM Security Bulletin: Multiple vulnerabilities in Open Source zlib affects IBM Netezza Platform Software clients (CVE-2016-9840, CVE-2016-9841 and CVE-2016-9843). *** --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22001026

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily July 2017