Daily September 2017

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 15.09.2017
by Daily end-of-shift report 15 Sep '17

15 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-09-2017 18:00 − Freitag 15-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ten Malicious Libraries Found on PyPI - Python Package Index ∗∗∗ --------------------------------------------- The Slovak National Security Office (NBU) has identified ten malicious Python libraries uploaded on PyPI — Python Package Index — the official third-party software repository for the Python programming language. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/ten-malicious-libraries-foun… ∗∗∗ Equifax Confirms March Struts Vulnerability Behind Breach ∗∗∗ --------------------------------------------- Equifax divulged on Wednesday that the culprit behind this summers breach of 143 million Americans was an Apache Struts vulnerability, CVE-2017-5638, patched back in March. --------------------------------------------- http://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-br… ∗∗∗ VMware Patches Bug That Allows Guest to Execute Code on Host ∗∗∗ --------------------------------------------- Users who run four different types of VMware products, ESXi, vCenter Server, Fusion and Workstation, are being encouraged to update to address a series of vulnerabilities, one critical. --------------------------------------------- http://threatpost.com/vmware-patches-bug-that-allows-guest-to-execute-code-… ∗∗∗ Yet Another Android Malware Infects Over 4.2 Million Google Play Store Users ∗∗∗ --------------------------------------------- Even after so many efforts by Google, malicious apps somehow managed to fool its Play Stores anti-malware protections and infect people with malicious software. The same happened once again when at least 50 apps managed to make its way onto Google Play Store and were successfully downloaded as many as 4.2 million times—one of the biggest malware outbreaks. Security firm Check Point on --------------------------------------------- https://thehackernews.com/2017/09/play-store-malware.html ∗∗∗ Google veröffentlicht API zum Malware-Schutz für Android ∗∗∗ --------------------------------------------- Mit der SafetyNet Verify Apps API können Apps überprüfen, ob Android-Endgeräte Google Play Protect verwenden. Auch der Zugriff auf die Scan-Funktion ist über die Schnittstelle möglich. --------------------------------------------- https://heise.de/-3832697 ∗∗∗ Bashware: Windows 10 über Linux-Komponente angreifbar ∗∗∗ --------------------------------------------- Die Sicherheitsfirma Checkpoint hat eine Möglichkeit gefunden, wie man Windows-10-Rechner über die optionalen Linux-Komponenten des Betriebssystems angreifen kann. Allerdings übertreiben die Forscher den Ernst der Lage gehörig. --------------------------------------------- https://heise.de/-3833695 ∗∗∗ Malvertising-Kampagne setzt auf Krypto-Mining in fremden Browsern ∗∗∗ --------------------------------------------- Fremde CPU-Leistung mittels Malware zum Mining von Bitcoins und Co. zu missbrauchen, ist eine altbewährte Strategie. Eine aktuelle Malvertising-Kampagne im osteuropäischen Raum verlegt das Mining per JavaScript direkt in den Webbrowser. --------------------------------------------- https://heise.de/-3833536 ===================== = Advisories = ===================== ∗∗∗ LOYTEC LVIS-3ME ∗∗∗ --------------------------------------------- This advisory contains mitigation details for relative path traversal, insufficient entropy, cross-site scripting and insufficiently protected credentials vulnerabilities within LOYTECs LVIS-3ME HMI touch panel. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-257-01 ∗∗∗ VMSA-2017-0015 ∗∗∗ --------------------------------------------- VMware ESXi, vCenter Server, Fusion and Workstation updates resolve multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2017-0015.html ∗∗∗ USN-3417-1: Libgcrypt vulnerability ∗∗∗ --------------------------------------------- Ubuntu Security Notice USN-3417-1 14th September, 2017 libgcrypt20 vulnerability A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 17.04 Summary Libgcrypt could be made to expose sensitive information. Software description libgcrypt20 - LGPL Crypto library Details Daniel Genkin, Luke Valenta, and Yuval Yarom discovered that Libgcrypt was susceptible to an attack via side channels. A local attacker could use this attack to recover Curve25519 private keys. --------------------------------------------- http://www.ubuntu.com/usn/usn-3417-1/ ∗∗∗ IBM Security Bulletin: IBM Spectrum Scale Object Protocols functionality is affected by a security vulnerability in Python (CVE-2017-2592) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010471 ∗∗∗ IBM Security Bulletin: Open Source Apache PDFBox Vulnerabilities in IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21991021 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2017
by Daily end-of-shift report 14 Sep '17

14 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-09-2017 18:00 − Donnerstag 14-09-2017 18:00 Handler: Alexander Riepl Co-Handler: Olaf Schwarz ===================== = News = ===================== ∗∗∗ Zerodium Offering $1M for Tor Browser Zero Days ∗∗∗ --------------------------------------------- Exploit acquisition vendor Zerodium said Wednesday it will pay up to $1M for an unknown Tor Browser zero day. --------------------------------------------- http://threatpost.com/zerodium-offering-1m-for-tor-browser-zero-days/127959/ ∗∗∗ Another webshell, another backdoor! ∗∗∗ --------------------------------------------- Im still busy to follow how webshells are evolving... I recently found another backdoor in another webshell called "cor0.id". The best place to find webshells remind pastebin.com. When Im testing a webshell, I copy it in a VM located on a "wild Internet" VLAN in my home lab with, amongst other controls, full packet capture enabled. --------------------------------------------- https://isc.sans.edu/diary/rss/22826 ∗∗∗ Old Themes, Abandoned Scripts and Pitfalls of Cleaning Serialized Data ∗∗∗ --------------------------------------------- Over the summer we’ve seen waves of WordPress database infections that use vulnerabilities in tagDiv’s Newspaper/Newsmag themes or InterconnectIT Search and Replace scripts (searchreplacedb2.php). The injections range from ad scripts coming from established ad networks like shorte.st to new domains created specifically for those attacks. Typical injected scripts look like this ... --------------------------------------------- https://blog.sucuri.net/2017/09/old-themes-abandoned-scripts-pitfalls-clean… ∗∗∗ Samsung’s launches bug bounty program and will reward up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software ∗∗∗ --------------------------------------------- Samsung says,”We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports,”. --------------------------------------------- https://www.techposts.net/samsung-launches-bug-bounty-program-offering-boun… ∗∗∗ Enlarge your botnet with: top D-Link routers (DIR8xx D-Link routers cruisin for a bruisin) ∗∗∗ --------------------------------------------- In this article, we are going to discuss vulnerabilities detected in the top D-Link routers. The devices use the same code, thus giving a magnificent and quite tempting opportunity to attackers to add them to a botnet. Moreover, we have managed to make Mirai for the devices by modifying its compilation script a bit. --------------------------------------------- https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-lin… ∗∗∗ "Display Widgets": WordPress-Plugin mit Backdoor aus Repository entfernt ∗∗∗ --------------------------------------------- Ein Plugin zur Verwaltung von WordPress-Widgets enthielt eine Backdoor, die dessen Herausgeber über Monate hinweg den Fernzugriff ermöglichte. Nun wurde es endgültig aus dem WordPress-Repository entfernt. Ein Update säubert bestehende Installationen. --------------------------------------------- https://heise.de/-3831761 ∗∗∗ Schwere Lücke im Router D-Link DIR-850L: Patches kommen am 19. September ∗∗∗ --------------------------------------------- Die Heimrouter können von Angreifern aus der Ferne übernommen werden. Bisher gibt es kein Update, da der Entdecker der Lücken D-Link vor der Veröffentlichung nicht informiert hat. Nun hat die Firma das Datum mitgeteilt, ab dem es Patches geben soll. --------------------------------------------- https://heise.de/-3832456 ∗∗∗ End of extended support for Office 2007 ∗∗∗ --------------------------------------------- The end of extended support for the Office 2007 family of desktop and server products is coming up next month. See Office 2007 approaching end of extended support for more details and the list of affected products. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2017/09/13… ===================== = Advisories = ===================== ∗∗∗ DSA-3972 bluez - security update ∗∗∗ --------------------------------------------- An information disclosure vulnerability was discovered in the ServiceDiscovery Protocol (SDP) in bluetoothd, allowing a proximate attacker toobtain sensitive information from bluetoothd process memory, includingBluetooth encryption keys. --------------------------------------------- https://www.debian.org/security/2017/dsa-3972 ∗∗∗ Flag clear - Moderately Critical - CSRF - DRUPAL-SA-CONTRIB-2017-074 ∗∗∗ --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2017-074 Vulnerability: Cross Site Request Forgery Description: The Flag clear module allows administrators to remove user flags for content. This functionality is often useful in user-submission use-cases, where users do not necessarily need to unflag things on their own. --------------------------------------------- https://www.drupal.org/node/2908592 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearQuest (CVE-2017-1289) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22007617 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2016-7055, CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002883 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearCase (CVE-2016-7055, CVE-2017-3731) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22002863 ∗∗∗ Persistent Cross-Site Scripting in SilverStripe CMS ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/persistent-cross-site-script… ∗∗∗ Authenticated Command Injection in Ubiquiti Networks UniFi Cloud Key ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/authenticated-command-inject… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2017
by Daily end-of-shift report 13 Sep '17

13 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-09-2017 18:00 − Mittwoch 13-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 4,000 ElasticSearch Servers Found Hosting PoS Malware Files ∗∗∗ --------------------------------------------- The Kromtech Security Center has identified over 4,000 instances of ElasticSearch servers that are hosting files specific to two strains of POS (Point of Sale) malware — AlinaPOS and JackPOS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-4-000-elasticsearch-ser… ∗∗∗ Blueborne: Sicherheitslücken gefährden fünf Milliarden Bluetooth-Geräte ∗∗∗ --------------------------------------------- Etwa fünf Milliarden Geräte weltweit sollen von kritischen Bluetooth-Sicherheitslücken betroffen sein. Die Fehler liegen jedoch nicht im Protokoll, sondern in den entsprechenden Stacks von Windows, Linux und Android. Bei Apple sind nur ältere Geräte von Blueborne betroffen. --------------------------------------------- https://www.golem.de/news/bluetooth-kritische-sicherheitsluecken-ermoeglich… ∗∗∗ Exploit for CVE-2017-8759 detected and neutralized ∗∗∗ --------------------------------------------- The September 12, 2017 security updates from Microsoft include the patch for a previously unknown vulnerability exploited through Microsoft Word as an entry vector. Customers using Microsoft advanced threat solutions were already protected against this threat. The .. --------------------------------------------- https://blogs.technet.microsoft.com/mmpc/2017/09/12/exploit-for-cve-2017-87… ∗∗∗ Hackers Got Into America’s Power Grid. But Don’t Freak Out. ∗∗∗ --------------------------------------------- Last week cybersecurity firm Symantec released a report on what it calls Dragonfly 2.0—a collection of intrusions into industrial and energy-related organizations worldwide. For the last six years, the Dragonfly intrusions and others have regularly gone deeper into the operational networks that control elements of America’s power grid. --------------------------------------------- http://fortune.com/2017/09/11/dragonfly-2-0-symantec-hackers-power-grid/ ∗∗∗ WordPress’ Poor Handling of Plugin Security Exacerbates Malicious Takeover of Display Widgets ∗∗∗ --------------------------------------------- Recently there has been a fair amount of coverage of popular Chrome extensions being modified to include malicious code after the login credentials used to control them in the Chrome Web Store had been compromised .. --------------------------------------------- https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of… ∗∗∗ Adobe stopft Sicherheitslücken in Flash, ColdFusion und RoboHelp ∗∗∗ --------------------------------------------- Auch bei Adobe ist wieder Patchday und der Tradition entsprechend patcht die Firma zu dieser Gelegenheit wieder einmal kritische Lücken im Flash Player. Auch ColdFusion und RoboHelp erhalten Updates. --------------------------------------------- https://heise.de/-3830067 ∗∗∗ Compromised LinkedIn accounts used to send phishing links via private message and InMail ∗∗∗ --------------------------------------------- A recent attack uses existing LinkedIn user accounts to send phishing links to their contacts via private message .. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/09/compromised-linkedin-… ∗∗∗ Patchday: Microsoft stopft Staatstrojaner-Schlupfloch ∗∗∗ --------------------------------------------- Lücke in Word und .NET-Framework wurde von FinFisher-Malware ausgenutzt --------------------------------------------- http://derstandard.at/2000064009454 ===================== = Advisories = ===================== ∗∗∗ DSA-3971 tcpdump - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3971 ∗∗∗ DSA-3970 emacs24 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3970 ∗∗∗ DSA-3969 xen - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2017/dsa-3969 ∗∗∗ Local File Disclosure in VLC media player iOS app ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/local-file-disclosure-in-vlc… ∗∗∗ Multiple Vulnerabilities in IBM Infosphere Information Server / Datastage ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2017
by Daily end-of-shift report 12 Sep '17

12 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 11-09-2017 18:00 − Dienstag 12-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Miners on the Rise ∗∗∗ --------------------------------------------- Over the last month alone, we have detected several large botnets designed to profit from concealed crypto mining. We have also observed growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the companies’ business processes suffer because data processing speeds fall substantially. --------------------------------------------- http://securelist.com/miners-on-the-rise/81706/ ∗∗∗ Google to kill Symantec certs in Chrome 66, due in early 2018 ∗∗∗ --------------------------------------------- This is how trust ends, not with a bang but with a whimper Google has detailed its plan to deprecate Symantec-issued certificates in Chrome.… --------------------------------------------- www.theregister.co.uk/2017/09/12/chrome_66_to_reject_symantec_certs/ ∗∗∗ D-Link DIR-850L: Router können gekapert werden, Patches nicht verfügbar ∗∗∗ --------------------------------------------- In D-Links Heimrouter 850L klaffen schwerwiegende Sicherheitslücken, über die Angreifer die Geräte in ihre Kontrolle bringen können. Updates, welche die Lücken schließen, sind vorerst nicht zu erwarten. --------------------------------------------- https://heise.de/-3828382 ∗∗∗ SAP Security Patch Day – September 2017 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly .. --------------------------------------------- https://blogs.sap.com/2017/09/12/sap-security-patch-day-september-2017/ ===================== = Advisories = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe RoboHelp (APSB17-25), Adobe Flash Player (APSB17-28) and ColdFusion (APSB17-30). Adobe recommends users update their product .. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1491 ∗∗∗ DSA-3968 icedove - security update ∗∗∗ --------------------------------------------- Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. --------------------------------------------- https://www.debian.org/security/2017/dsa-3968 ∗∗∗ Email verification bypass in SAP E-Recruiting ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/email-verification-bypass-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2017
by Daily end-of-shift report 11 Sep '17

11 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-09-2017 18:00 − Montag 11-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Energieversorgung: E-Mail-Konten sind besser gesichert als Windparks ∗∗∗ --------------------------------------------- Windparks machen einen professionellen Eindruck, doch bei der IT-Sicherheit hapert es leider. Recherchen von Internetwache.org und Golem.de zeigen eine Menge Schwachstellen und ein Chaos bei der Zuständigkeit. --------------------------------------------- https://www.golem.de/news/energieversorgung-e-mail-konten-sind-besser-gesic… ∗∗∗ Secure microkernel in a KVM switch offers spy-grade app virtualization ∗∗∗ --------------------------------------------- Need a few air-gapped apps on one screen? Australian researchers show how Researchers at Australian think tank Data61 and the nations Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch.… --------------------------------------------- www.theregister.co.uk/2017/09/07/cross_domain_desktop_compositor_vdi_for_th… ∗∗∗ Apache Foundation rebuffs allegation it allowed Equifax attack ∗∗∗ --------------------------------------------- Timeline explains that either Equifax didnt patch old bugs, or was zero-dayed The Apache Software Foundation has defended its development practices in the face of a report alleging its code was responsible for the Equifax data leak.… --------------------------------------------- www.theregister.co.uk/2017/09/11/apache_rebuts_equifax_allegation/ ∗∗∗ Bug im Windows-Kernel könnte durch Schadcode missbraucht werden ∗∗∗ --------------------------------------------- Im Windows-Kernel schlummert seit Jahren eine Lücke, die in einigen Fällen dafür sorgen könnte, dass Malware vom Radar von Sicherheitssoftware verschwindet. Laut ihrem Entdecker zeigt sich Microsoft bislang aber eher desinteressiert. --------------------------------------------- https://heise.de/-3825130 ∗∗∗ Equifax Breach Response Turns Dumpster Fire ∗∗∗ --------------------------------------------- I cannot recall a previous data breach in which the breached company’s public outreach and response has been so haphazard and ill-conceived as the one coming right now from big-three credit bureau Equifax, which rather clumsily announced Thursday that an intrusion jeopardized Social security numbers and other information on 143 million Americans. --------------------------------------------- https://krebsonsecurity.com/2017/09/equifax-breach-response-turns-dumpster-… ∗∗∗ Hack: 143 Millionen US-Amerikanern droht Identitätsdiebstahl ∗∗∗ --------------------------------------------- Datendiebstahl bei US-Finanzinstitut Equifax gilt als einer der schlimmsten Einbrüche in der IT-Geschichte --------------------------------------------- http://derstandard.at/2000063850369 ∗∗∗ Another Apache Struts Vulnerability Under Active Exploitation ∗∗∗ --------------------------------------------- This post authored by Nick Biasini with contributions from Alex Chiu.Earlier this week, a critical vulnerability in Apache Struts was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with an instance of XStream for deserialization without any type filtering. As a result, a remote, unauthenticated attacker could achieve remote code execution on a host running a vulnerable version of Apache --------------------------------------------- http://blog.talosintelligence.com/2017/09/apache-struts-being-exploited.html ===================== = Advisories = ===================== ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ HPESBNS03755 rev.2 - HPE NonStop Server using Samba, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://h20566.www2.hpe.com/portal/site/hpsc/template.PAGE/action.process/p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2017
by Daily end-of-shift report 08 Sep '17

08 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-09-2017 18:00 − Freitag 08-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Daten von 143 Millionen US-Amerikanern entwendet ∗∗∗ --------------------------------------------- Bei einem Cyberangriff auf den US-Finanzdienstleister Equifax wurden äußerst sensible Daten von Millionen Amerikanern erbeutet, die nun Betrug im großen Stil ermöglichen. --------------------------------------------- https://futurezone.at/digital-life/daten-von-143-millionen-us-amerikanern-e… ∗∗∗ Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions ∗∗∗ --------------------------------------------- Palo Alto Networks Unit 42 researchers have uncovered a high severity vulnerability in the Android overlay system, which allows a new Android overlay attack by using the “Toast type” overlay.The post Android Toast Overlay Attack: “Cloak and Dagger” with No Permissions appeared first on Palo Alto Networks Blog. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2017/09/unit42-android-toast-ov… ∗∗∗ YASRV (Yet Another Struts RCE Vulnerability) yes a different one from yesterday ∗∗∗ --------------------------------------------- Yesterday saw CVE-2017-9805, today we have a new remote code execution vulnerability in Apache Struts 2 which is CVE-2017-12611. Yesterdays was in the REST API and related to Java XML unsafe deserializarion. Todays relates to using Freemarker in your application. Both should encourage you to patch. --------------------------------------------- https://isc.sans.edu/diary/rss/22796 ∗∗∗ Secure microkernel in a KVM switch offers spy-grade app virtualization ∗∗∗ --------------------------------------------- Need a few air-gapped apps on one screen? Heres how Researchers at Australian think tank Data61 and the nations Defence Science and Technology Group have cooked up application publishing for the paranoid, by baking an ARM CPU and secure microkernel into a KVM switch. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2017/09/07/cross_domai… ∗∗∗ TLS-Zertifikate: CAAs sollen Zertifizierungsstellen an die Leine legen ∗∗∗ --------------------------------------------- Admins können mit einer Certification Authority Authorization im DNS festlegen, wer Zertifikate für ihre Domain unterschreiben darf. Ab dem 8. September sind diese Vorgaben für Zertifizierungsstellen verbindlich. --------------------------------------------- https://heise.de/-3822010 ∗∗∗ Sechs Lücken in Android-Bootloadern bekannter Hersteller entdeckt ∗∗∗ --------------------------------------------- Die automatisierte Analyse des Codes zweier Android-Bootloader förderte insgesamt sechs Schwachstellen zutage. Denial-of-Service und Zugriff auf sensible Daten sind mögliche Folgen – allerdings nur dann, wenn der Angreifer bereits Root-Rechte hat. --------------------------------------------- https://heise.de/-3824289 ∗∗∗ Schwachstelle in Typo3-Repository als mögliches Schlupfloch für trojanisierte Erweiterungen ∗∗∗ --------------------------------------------- Aufgrund eines Fehlers hätten Dritte unter Umständen mit beliebigem Passwort auf das Typo3 Extension Repository zugreifen können. Nun warnen die Entwickler vor möglichen Erweiterungen mit Schadcode. --------------------------------------------- https://heise.de/-3825378 ∗∗∗ Keine Kartenaktivierung bei card complete erforderlich ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte card complete-Nachricht. Darin heißt es, dass die Kreditkarte von Kund/innen gesperrt worden sei. Für eine Reaktivierung sollen diese persönliche Daten bekannt geben. Wer der Aufforderung nachkommt, sendet Betrüger/innen seine Kreditkarteninformationen. --------------------------------------------- https://www.watchlist-internet.at/phishing/keine-kartenaktivierung-bei-card… ===================== = Advisories = ===================== ∗∗∗ Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 ∗∗∗ --------------------------------------------- On September 5, 2017, the Apache Software Foundation released security bulletins that disclose three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For more information about the vulnerabilities, refer to the Details section of this advisory.Multiple Cisco products incorporate a version of the Apache Struts 2 package that is affected ... --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02 ∗∗∗ SpiderControl SCADA Web Server ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-250-01 ∗∗∗ PHOENIX CONTACT, Innominate Security Technologies mGuard Firmware ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-17-250-02 ∗∗∗ i-SENS Inc. SmartLog Diabetes Management Software ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-01 ∗∗∗ DFN-CERT-2017-1587/">GDK-PixBuf: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1587/ ∗∗∗ Security Advisory - MITM Vulnerability in Huawei Themes App in Some Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170908-… ∗∗∗ IBM Security Bulletin: Vulnerability in IBM® Java SDK affects multiple IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22007909 ∗∗∗ IBM Security Bulletin: Open Source XStream as used in IBM QRadar SIEM is vulnerable to Denial of Service. (CVE-2017-7957) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008217 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22005380 ∗∗∗ IBM Security Bulletin: IBM Java SDK as used in IBM QRadar SIEM is vulnerable to multiple CVE’s. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008210 ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to information exposure. (CVE-2017-1162) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22008194 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2017
by Daily end-of-shift report 07 Sep '17

07 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-09-2017 18:00 − Donnerstag 07-09-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BlackBerry powered by Android Security Bulletin – September 2017 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Ransomware: What you need to know now | Salted Hash Ep 1, Pt 4 ∗∗∗ --------------------------------------------- Reporters Fahmida Rashid and Steve Ragan talk about the latest ransomware threats, the holes in IT security and the burdens on enterprises. --------------------------------------------- https://www.csoonline.com/video/81516/ransomware-what-you-need-to-know-now-… ∗∗∗ Microsoft Programming Error is Behind Dangerous Kernel Bug, Researchers Claim ∗∗∗ --------------------------------------------- Researchers say a 18-year-old programming error by Microsoft is creating a kernel bug that can be abused by an attacker. --------------------------------------------- http://threatpost.com/microsoft-programming-error-is-behind-dangerous-kerne… ∗∗∗ Interesting List of Windows Processes Killed by Malicious Software ∗∗∗ --------------------------------------------- Just a quick blog post about an interesting sample that I found today. Usually, modern pieces of malware implement anti-debugging and anti-VM techniques. They perform some checks against the target and when a positive result is found, they silently exit… Such checks might be testing the screen resolution, the activity[The post Interesting List of Windows Processes Killed by Malicious Software has been first published on /dev/random] --------------------------------------------- https://blog.rootshell.be/2017/09/06/interesting-list-windows-processes-kil… ∗∗∗ Apache Struts “serialisation” vulnerability – what you need to know ∗∗∗ --------------------------------------------- A bug in Apache Struts, a popular software toolkit for building web services, could let crooks take control of your server. --------------------------------------------- https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vul… ∗∗∗ Hackers Are Distributing Backdoored Cobian RAT Hacking tool For Free ∗∗∗ --------------------------------------------- Nothing is free in this world. If you are searching for free ready-made hacking tools on the Internet, then beware—most freely available tools, claiming to be the swiss army knife for hackers, are nothing but a hoax. Last year, we reported about one such Facebook hacking tool that actually had the capability to hack a Facebook account, but yours and not the one you desire to hack. --------------------------------------------- https://thehackernews.com/2017/09/backdoored-hacking-tools.html ∗∗∗ Expired domain names and malvertising - Malwarebytes Labs ∗∗∗ --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2017/09/expired-domain-names-… ∗∗∗ Gefälschte Microsoft-Warnung führt zu Datendiebstahl ∗∗∗ --------------------------------------------- Kriminelle fälschen einen Microsoft-Warnhinweis. Darin behaupten sie, dass fremde Computer mit Schadsoftware befallen seien. Vermeintliche Opfer sollen sich deshalb an eine Kundenhotline wenden. In Wahrheit gelangen sie an Verbrecher/innen, die Zugang zum Computer fordern, Dateien kopieren und Zahlungsdaten stehlen. --------------------------------------------- https://www.watchlist-internet.at/sonstiges/gefaelschte-microsoft-warnung-f… ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1567/">IBM Notes: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1567/ ∗∗∗ DFN-CERT-2017-1571/">Cisco ASR 5500 Series Routers: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1571/ ∗∗∗ DFN-CERT-2017-1574/">Cisco Prime Collaboration Provisioning Tool: Zwei Schwachstellen ermöglichen das Ausspähen von Informationen und die Manipulation beliebiger Systemdateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1574/ ∗∗∗ DFN-CERT-2017-1578/">Cisco ASR 920 Series Router: Zwei Schwachstellen ermöglichen die Ausführung beliebigen Programmcodes und die Manipulation von Dateien ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1578/ ∗∗∗ DFN-CERT-2017-1579/">Cisco IOS, Cisco IOS XE: Zwei Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1579/ ∗∗∗ DFN-CERT-2017-1580/">Cisco IR800 Integrated Services Router: Eine Schwachstelle ermöglicht die komplette Kompromittierung des Systems ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1580/ ∗∗∗ Cisco Prime LAN Management Solution Token ID Reuse Lets Remote Authenticated Users Hijack the Target Users Session ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039285 ∗∗∗ Cisco Catalyst 4000 Series Switch Dynamic ACL Bug Lets Remote Users Bypass Port Access Controls on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039284 ∗∗∗ TYPO3 API Bug Lets Remote Users Obtain Potentially Sensitive Version Information on the Target System ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039294 ∗∗∗ TYPO3 File Storage Access Control Flaw Lets Remote Authenticated Users Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039293 ∗∗∗ TYPO3 Input Validation Flaw in Backend Forms Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1039292 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2017
by Daily end-of-shift report 06 Sep '17

06 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-09-2017 18:00 − Mittwoch 06-09-2017 18:00 Handler: Stefan Lenzhofer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers Gain ‘Switch-Flipping’ Access to US Power Systems ∗∗∗ --------------------------------------------- Hackers who hit American utilities this summer had the power to cause blackouts, Symantec says. --------------------------------------------- https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power… see also: http://derstandard.at/2000063697965 see also: https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targ… see also: https://www.bleepingcomputer.com/news/security/sabotage-warning-issued-on-h… ∗∗∗ SynAck Ransomware Sees Huge Spike in Activity ∗∗∗ --------------------------------------------- Over the past two days, there was an increase in activity from a relatively unknown ransomware strain named SynAck, according to submissions to the ID-Ransomware service and users who complained on the Bleeping Computer ransomware support forums. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-… ∗∗∗ Stop blaming users for security misses ∗∗∗ --------------------------------------------- Does the message to users about security need to change? Or does IT need to rebuild infrastructure so users can worry less about security? Wendy Nather, principal security strategist at Duo Security, talks with CSO senior writer Fahmida Rashid about how organizations can learn to do security right. --------------------------------------------- https://www.csoonline.com/video/80055/stop-blaming-users-for-security-misse… ∗∗∗ Security and education in the wake of WannaCry, Petya ∗∗∗ --------------------------------------------- Attacks occur for a variety of reasons, and in the wake of the most widespread ransomware attacks, WannaCry and Petya, many organizations are re-evaluating their security practices to figure out what went wrong.While those who were hit are still trying to understand where their security gaps are, others enterprises that rely on legacy systems and cant be patched are looking for ways to prevent being the next victim. No, the vulnerabilities attackers leverage are not new. They prey on systems --------------------------------------------- https://www.csoonline.com/article/3208384/backup-recovery/security-and-educ… ∗∗∗ The 15 biggest data breaches of the 21st centuryy ∗∗∗ --------------------------------------------- Data breaches happen daily, in too many places at once to keep count, take todays news of another Verizon breach that exposed the personal data of 6 million customers and a somewhat less dire breach at 14 Trump hotels. But what constitutes a huge breach versus a small one? CSO compiled a list of 15 of the biggest or most significant breaches of the 21st century.This list is based not necessarily on the number of records compromised, but on how much risk or damage the breach caused for --------------------------------------------- https://www.csoonline.com/article/2130877/data-protection/the-15-biggest-da… ∗∗∗ ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month ∗∗∗ --------------------------------------------- The dreaded hacking group ShadowBrokers posted a new message, promising to deliver two data dumps a month as part its monthly dumps. The notorious group ShadowBrokers is back with announcing new interesting changes to their Dump Service. The hackers published a new message on the Steemit platform announcing new changed to their service. “Missing theshadowbrokers? If someone […]The post ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month appeared first on --------------------------------------------- http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html ∗∗∗ A Critical Apache Struts Security Flaw Makes It Easy To Hack Fortune 100 Firms ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from ZDNet: A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability. All versions of Struts since 2008 are affected, said the researchers. --------------------------------------------- https://apache.slashdot.org/story/17/09/05/2053200/a-critical-apache-struts… ∗∗∗ Hacker-Angriffe auf MongoDB treffen fast 27.000 Datenbanken ∗∗∗ --------------------------------------------- Erpresserische Angriffe auf sicherheitsanfällige MongoDB-Datenbanken liegen bei Online-Kriminellen bereits seit Ende letzten Jahres im Trend. Nun geht die Abzocke weiter: Drei neue Hackergruppen fordern Bitcoins im Tausch gegen Datenbankinhalte. --------------------------------------------- https://heise.de/-3822955 ∗∗∗ Security flaw affects 750,000 Estonian ID cards ∗∗∗ --------------------------------------------- An international group of cryptographers has flagged a serious security vulnerability in the chip embedded in Estonian ID cards, the country’s Information System Authority has announced. “Estonian experts assess there to be a possible security vulnerability and we will continue to verify the claims of the researchers,” said Taimar Peterkop, Director-General of the agency. “We have developed the primary solutions to mitigate the risk, and will do our utmost to ensure that --------------------------------------------- https://www.helpnetsecurity.com/2017/09/06/estonian-id-cards-security-flaw/ ===================== = Advisories = ===================== ∗∗∗ Apache Struts: Jetzt updaten und kritische Lücke schließen ∗∗∗ --------------------------------------------- Eine soeben veröffentlichte Version von Apache Struts schließt eine kritische Lücke. Die Entwickler und der Entdecker der Sicherheitslücke rechnen damit, dass diese bald für Angriffe auf Firmen missbraucht wird. Also ist jetzt zügiges Handeln angesagt. --------------------------------------------- https://heise.de/-3822948 ∗∗∗ Bugtraq: [security bulletin] HPESBUX03772 rev.1 - HP-UX BIND Service Running Named, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541129 ∗∗∗ DFN-CERT-2017-1558/">Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1558/ ∗∗∗ DFN-CERT-2017-1556/">Google Android Operating System: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1556/ ∗∗∗ DFN-CERT-2017-1563/">Google Chrome, Chromium: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1563/ ∗∗∗ DFN-CERT-2017-1561/">IBM AIX, IBM VIOS, IBM Java SDK: Mehrere Schwachstellen ermöglichen u.a. die komplette Kompromittierung des Systems ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1561/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22008080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2017
by Daily end-of-shift report 05 Sep '17

05 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Montag 04-09-2017 18:00 − Dienstag 05-09-2017 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Six-Year-Old "Loop Bug" Re-Discovered to Affect Almost All Major PDF Viewers ∗∗∗ --------------------------------------------- A bug discovered in an obscure PDF parsing library back in 2011 is also present in most of todays top PDF viewers, according to German software developer Hanno Böck. --------------------------------------------- https://www.bleepingcomputer.com/news/software/six-year-old-loop-bug-re-dis… ∗∗∗ TrustZone Downgrade Attack Opens Android Devices to Old Vulnerabilities ∗∗∗ --------------------------------------------- An attacker can downgrade components of the Android TrustZone technology to older versions that feature known vulnerabilities and use older exploits against smartphones running an up-to-date operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trustzone-downgrade-attack-o… ∗∗∗ The Mirai Botnet: A Look Back and Ahead At Whats Next, (Tue, Sep 5th) ∗∗∗ --------------------------------------------- It is a bit hard to nail down when the Mirai botnet really started. I usually use scans for port:2323 and the use of the password "xc3511" as an indicator. But of course, that isn't perfect. The very first scan using the password "xc3511" was detected by our sensor on February 26th, 2016, well ahead of Mirai. --------------------------------------------- https://isc.sans.edu/diary/rss/22786 ∗∗∗ Hunting Pastebin with PasteHunter ∗∗∗ --------------------------------------------- >From a security analytics and Threat Intelligence perspective Pastebin is a treasure trove of information. All content that is uploaded to pastebin and not explicitly set to private (which requires an account) is listed and can be viewed by anyone. --------------------------------------------- https://techanarchy.net/2017/09/hunting-pastebin-with-pastehunter/ ∗∗∗ Finger weg von SHA-1: 320 Millionen Passwörter geknackt ∗∗∗ --------------------------------------------- Wenn Webseitenbetreiber Passwörter von Kunden nicht sicher verwahren, ist der Super-GAU vorprogrammiert. Daran erinnern abermals Sicherheitsforscher, die in überschaubarer Zeit Millionen Passwörter entschlüsselt haben. --------------------------------------------- https://heise.de/-3822005 ===================== = Advisories = ===================== ∗∗∗ DFN-CERT-2017-1547/">Liblouis: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1547/ ∗∗∗ DFN-CERT-2017-1554/">Apache Software Foundation Struts: Mehrere Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2017-1554/ ∗∗∗ Security Notice - Statement About the Bootloader Vulnerabilities in Huawei Mobile Phones Disclosed at the USENIX Conference ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170905-01-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Jan 2017 – Includes Oracle Jan 2017 CPU affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22001461 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Classification ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg21996956 ∗∗∗ Arbitrary Code Execution in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/arbitrary-code-execution-in-typo3-cms/ ∗∗∗ Information Disclosure in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/information-disclosure-in-typo3-cms-1/ ∗∗∗ Information Disclosure in TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/news/article/information-disclosure-in-typo3-cms/ ∗∗∗ Cross-Site Scripting in TYPO3 CMS Backend ∗∗∗ --------------------------------------------- https://typo3.org/news/article/cross-site-scripting-in-typo3-cms-backend/ ∗∗∗ USN-3409-1: FontForge vulnerabilities ∗∗∗ --------------------------------------------- http://www.ubuntu.com/usn/usn-3409-1/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2017
by Daily end-of-shift report 04 Sep '17

04 Sep '17

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-09-2017 18:00 − Montag 04-09-2017 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RTP Bleed: Mit Asterisk-Bug Telefonate belauschen ∗∗∗ --------------------------------------------- Ein Bug in der IP-Telefonielösung Asterisk ermöglicht Angreifern, Telefonate mitzuhören. Das Problem liegt in der zugrundeliegenden RTP-Implementierung. Ein erster Patch ist da, aber noch fehlerhaft. --------------------------------------------- https://www.golem.de/news/rtp-bleed-mit-asterisk-bug-telefonate-belauschen-… ∗∗∗ Malspam pushing Locky ransomware tries HoeflerText notifications for Chrome and FireFox ∗∗∗ --------------------------------------------- 2017-09-01 update: A different campaign using HoeflerText popups has been active during the same timeframe. I wrote about it here, but the only thing these two campaigns have in common is that they both used HoeflerText popups. --------------------------------------------- https://isc.sans.edu/forums/diary/Malspam+pushing+Locky+ransomware+tries+Ho… ∗∗∗ Fehler in API: Möglicherweise Millionen Kontaktdaten von Instagram-Usern öffentlich ∗∗∗ --------------------------------------------- Wegen eines Bug in der Kommunikationsschnittstelle zu anderen Apps müssen Millionen Instagram-Nutzer um ihre Privatsphäre fürchten. Betroffen sind laut der Facebook-Tochter nicht nur Prominente. --------------------------------------------- https://heise.de/-3820497 ∗∗∗ Mehrere Sicherheitslücken in RubyGems ∗∗∗ --------------------------------------------- Rubys Paketsystem RubyGems enthält Schwachstellen, die unter anderem DoS-Angriffe und DNS-Hijacking ermöglichen. Ein Update auf die aktuelle Version 2.6.13 bannt die Gefahr. --------------------------------------------- https://heise.de/-3820891 ∗∗∗ Mehrere große Torrent-Seiten offenbar nach Attacken offline ∗∗∗ --------------------------------------------- Eine Reihe prominenter Plattformen wie Torrentproject sind nicht mehr erreichbar – Domains suspendiert, Überlastungsangriffe --------------------------------------------- http://derstandard.at/2000063553913 ===================== = Advisories = ===================== ∗∗∗ DSA-3960 gnupg - security update ∗∗∗ --------------------------------------------- Daniel J. Bernstein, Joachim Breitner, Daniel Genkin, Leon GrootBruinderink, Nadia Heninger, Tanja Lange, Christine van Vredendaal and Yuval Yarom discovered that GnuPG is prone to a local side-channel attack allowing full key recovery for RSA-1024. --------------------------------------------- https://www.debian.org/security/2017/dsa-3960 ∗∗∗ DSA-3961 libgd2 - security update ∗∗∗ --------------------------------------------- A double-free vulnerability was discovered in the gdImagePngPtr()function in libgd2, a library for programmatic graphics creation and manipulation, which may result in denial of service or potentially the execution of arbitrary code if a specially crafted file is processed. --------------------------------------------- https://www.debian.org/security/2017/dsa-3961 ∗∗∗ DSA-3962 strongswan - security update ∗∗∗ --------------------------------------------- A denial of service vulnerability was identified in strongSwan, an IKE/IPsecsuite, using Googles OSS-Fuzz fuzzing project. --------------------------------------------- https://www.debian.org/security/2017/dsa-3962 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily September 2017