Daily September 2018

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 28.09.2018
by Daily end-of-shift report 28 Sep '18

28 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-09-2018 18:00 − Freitag 28-09-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Iot Botnet Torii Uses Six Methods for Persistence, Has No Clear Purpose ∗∗∗ --------------------------------------------- Security researchers discovered a new IoT botnet that is in a league superior to the Mirai variants .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-si… ∗∗∗ Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV ∗∗∗ --------------------------------------------- Removing the need for files is the next progression of attacker techniques. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, .. --------------------------------------------- https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-bu… ∗∗∗ Credential Leak Flaws in Windows PureVPN Client ∗∗∗ --------------------------------------------- Using a VPN (Virtual Private Network) can bring many advantages, particularly when you want to .. --------------------------------------------- https://trustwave.com/Resources/SpiderLabs-Blog/Credential-Leak-Flaws-in-Wi… ∗∗∗ DNSSEC Key Signing Key Rollover ∗∗∗ --------------------------------------------- Original release date: September 27, 2018 On October 11, 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) will be changing the Root Zone Key Signing Key (KSK) used in the Domain Name System (DNS) Security .. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/09/27/DNSSEC-Key-Signing… ∗∗∗ [SANS ISC] More Excel DDE Code Injection ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “More Excel DDE Code Injection“: The “DDE code injection” technique is not brand new. DDE stands for “Dynamic Data Exchange”. It has already been discussed by many security researchers. Just a quick .. --------------------------------------------- https://blog.rootshell.be/2018/09/28/sans-isc-more-excel-dde-code-injection/ ∗∗∗ Stellungnahme des BSI zur Schadsoftware "LoJax" ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/LoJax-Schad… ===================== = Vulnerabilities = ===================== ∗∗∗ Emerson AMS Device Manager ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper access control and improper privilege management vulnerabilities in the Emerson AMS Device Manager software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01 ∗∗∗ Fuji Electric Alpha5 Smart Loader ∗∗∗ --------------------------------------------- This advisory includes information on classic buffer overflow and heap-based buffer overflow vulnerabilities in Fuji Electrics Alpha5 Smart Loader servo drive. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-270-02 ∗∗∗ Fuji Electric FRENIC Devices ∗∗∗ --------------------------------------------- This advisory includes information on buffer over-read, out-of-bounds read, and stack-based buffer overflow vulnerabilities in Fuji Electrics FRENIC HVAC drive devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-270-03 ∗∗∗ OpenSSH vulnerability CVE-2018-15473 ∗∗∗ --------------------------------------------- OpenSSH vulnerability CVE-2018-15473. Security Advisory. Security Advisory Description. OpenSSH through 7.7 is prone ... --------------------------------------------- https://support.f5.com/csp/article/K28942395 ∗∗∗ ZDI-18-1093: Delta Industrial Automation PMSoft rtl60 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1093/ ∗∗∗ Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u. a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1972/ ∗∗∗ IBM Security Bulletin: PowerKVM has released fixes in response to the vulnerabilities known as Foreshadow ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733108 ∗∗∗ IBM Security Bulletin: Security Misconfiguration during Combined Cumulative Fix Installation Affects IBM WebSphere Portal (CVE-2018-1420) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014276 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2018
by Daily end-of-shift report 27 Sep '18

27 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-09-2018 18:00 − Donnerstag 27-09-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB18-30) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB18-30) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, October 02, 2018. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1621 ∗∗∗ Password Managers Can Be Tricked Into Believing That Malicious Android Apps Are Legitimate ∗∗∗ --------------------------------------------- A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios. From a report: The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps. --------------------------------------------- https://it.slashdot.org/story/18/09/26/1534203/password-managers-can-be-tri… ∗∗∗ LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group ∗∗∗ --------------------------------------------- Some UEFI rootkits have been presented as proofs of concept; some are known to be at the disposal of (at least some) governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system. --------------------------------------------- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wi… ∗∗∗ Geldmacherei mit e-Visum für Ägypten ∗∗∗ --------------------------------------------- Konsument/innen, die nach Ägypten einreisen möchten, müssen ein e-Visum beantragen. Auf der offiziellen Regierungswebsite visa2egypt.gov.eg kostet es für eine einmalige Einreise als Tourist/in 25 US-Dollar. Das ist der günstigste Preis für das e-Visum. Andere Anbieter/innen verlangen dafür wesentlich höhere Kosten. Aus diesem Grund ist bei der Beantragung Vorsicht geboten. --------------------------------------------- https://www.watchlist-internet.at/news/geldmacherei-mit-e-visum-fuer-aegypt… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, otrs2, and strongswan), Fedora (kernel-headers, moodle, ntp, visualboyadvance-m, and yaml-cpp), Mageia (rsyslog), openSUSE (ant, libzypp, zypper, shadow, and tiff), Oracle (389-ds-base, flatpak, kernel, nss, and openssl), Red Hat (rh-perl524-mod_perl and rh-perl526-mod_perl), Scientific Linux (389-ds-base, flatpak, kernel, and nss), SUSE (firefox, gd, glibc, kernel, mgetty, php7, and wireshark), and Ubuntu (udisks2). --------------------------------------------- https://lwn.net/Articles/766959/ ∗∗∗ WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0007 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. ... We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2018-0007.html ∗∗∗ Cisco Catalyst 6800 Series Switches ROM Monitor Software Secure Boot Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Web UI Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software HTTP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software VLAN Trunking Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software TACACS+ Client Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software SM-1T3/E3 Service Module Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Shell Access Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS Software Precision Time Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Privileged EXEC Mode Root Shell Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Plug and Play Agent Memory Leak Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software OSPFv3 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software MACsec MKA Using EAP-TLS Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers Arbitrary Memory Write Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software IPv6 Hop-by-Hop Options Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software and Cisco ASA 5500-X Series Adaptive Security Appliance IPsec Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Errdisable Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Cisco Discovery Protocol Memory Leak Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Cisco Discovery Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: A vulnerability in PostgreSQL affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10730491 ∗∗∗ IBM Security Bulletin: A vulnerability in gnupg2 affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10720353 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732455 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732457 ∗∗∗ IBM Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10716879 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private and IBM Cloud Private Cloud Foundry (CVE-2018-7167, CVE-2018-7164, CVE-2018-7162, CVE-2018-1000168, CVE-2018-7161) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718901 ∗∗∗ IBM Security Bulletin: Arbitrary URL Redirection (CVE-2018-1704) affects IBM Platform Symphony, IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10719671 ∗∗∗ IBM Security Bulletin: XML Entity Expansion vulnerability (CVE-2018-1702) affects IBM Platform Symphony, IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10719659 ∗∗∗ IBM Security Bulletin: A vulnerability in policycoreutils affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728473 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i and Rational Developer for AIX and Linux Security Bulletin ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10730623 ∗∗∗ HPESBST03884 rev.1 - HPE ConvergedSystem 700 Solutions Using HPE 3PAR Service Processor, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en&docId=emr_na-h… ∗∗∗ HPESBHF03890 rev.1 - HPE Service Governance Framework (SGF) - Remote Unauthorized Disclosure of Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03901 rev.1 - HPE intelligence Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03902 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03884 rev.2 - HPE ConvergedSystem 700 Solutions Using HPE 3PAR Service Processor, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2018
by Daily end-of-shift report 26 Sep '18

26 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-09-2018 18:00 − Mittwoch 26-09-2018 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Der nächste Meilenstein: [CERT.at #1000000] ∗∗∗ --------------------------------------------- Für unsere Kommunikation per E-Mail verwenden wir (wie viele Firmen) ein Ticketsystem, damit a) die Kommunikation für alle Teammitglieder nachvollziehbar ist, dass b) möglichst keine Anfragen unbeantwortet bleiben und c) der Workflow mit Meldung/Vorfall/Nachforschung abgebildet werden kann. --------------------------------------------- http://www.cert.at/services/blog/20180926100651-2293.html ∗∗∗ Nach Safari und Chrome: Firefox ins Jenseits befördern ∗∗∗ --------------------------------------------- Mit einem präparierten Link kann Mozillas Firefox zum Absturz gebracht werden. Ähnliches hat ein Sicherheitsforscher zuvor mit Apples Safari und Googles Chrome gezeigt. Auf einer Webseite sammelt er die Lücken - mitsamt Absturz-Button. --------------------------------------------- https://www.golem.de/news/nach-safari-und-chrome-firefox-ins-jenseits-befoe… ∗∗∗ New CVE-2018-8373 Exploit Spotted ∗∗∗ --------------------------------------------- On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability CVE-2018-8373 that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability. Its important to note that this exploit doesnt work on systems with updated Internet Explorer versions. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-83… ∗∗∗ Full compliance with the PCI DSS drops for the first time in six years ∗∗∗ --------------------------------------------- After documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years (2010 – 2016), Verizon’s 2018 Payment Security Report (PSR) now reveals a concerning downward trend with companies failing compliance assessments and perhaps, more importantly, not maintaining – full compliance. --------------------------------------------- https://www.helpnetsecurity.com/2018/09/26/pci-dss-compliance-drop/ ∗∗∗ Gefälschte kabelplus-Phishingmail im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte kabelplus-Nachricht. Darin behaupten sie, dass „ihr Kabelplus Webmail (kabsi.at) Nachrichtenspeicher das Limit-Kontingent in unserer Datenbank erreicht“ hat. Aus diesem Grund sollen Kund/innen eine externe Website aufrufen und persönliche Daten bekannt geben. Diese übermitteln sie nicht an kabelplus, sondern an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-kabelplus-phishingmail-i… ===================== = Vulnerabilities = ===================== ∗∗∗ Magecart Attacks Grow Rampant in September ∗∗∗ --------------------------------------------- Attacks that compromise websites with scripts that steal payment card data from checkout pages have increased to hundreds of thousands of attempts in little over a month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magecart-attacks-grow-rampan… ∗∗∗ VU#581311: TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks ∗∗∗ --------------------------------------------- TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks The TP-LINK EAP Controller is TP-LINKs software for remotely controlling wireless access point devices. EAP Controller for Linux lacks user authentication for RMI service commands, as well as utilizes an outdated vulnerable version of Apache commons-collections, which may allow an attacker to implement deserialization attacks and control the EAP Controller server. --------------------------------------------- http://www.kb.cert.org/vuls/id/581311 ∗∗∗ One Emotet infection leads to three follow-up malware infections, (Wed, Sep 26th) ∗∗∗ --------------------------------------------- In recent weeks, I've generally seen Emotet retrieve Trickbot, the IcedID banking Trojan, or spambot malware for its follow-up infection. I rarely see Emotet retrieve more than one type of follow-up malware. But on Tuesday 2018-09-25, my infected lab host retrieved Trickbot and IcedID immediately after an Emotet infection. Then IcedID caused another infection with AZORult on the same host. --------------------------------------------- https://isc.sans.edu/diary/rss/24140 ∗∗∗ eDirectory 9.1.1 Hot Patch 1 ∗∗∗ --------------------------------------------- This patch is an update to eDirectory 9.1 Support Pack 1 (9.1.1). This update is being provided to resolve potential critical issues found since the latest patch Architecture: x86-64 Security patch: Yes Priority: Mandatory --------------------------------------------- https://download.novell.com/Download?buildid=vP3nS-Hctkk~ ∗∗∗ Stored Cross-Site Scripting in Kendo UI Editor ∗∗∗ --------------------------------------------- A cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application which allows attackers in the worst case to take over user sessions. --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/stored-cross-site-scripting-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python2.7 and python3.4), openSUSE (php5-smarty3), Oracle (389-ds-base, flatpak, kernel, and nss), Red Hat (389-ds-base, chromium-browser, flatpak, kernel, kernel-alt, kernel-rt, nss, and qemu-kvm-ma), and SUSE (ant, dom4j, kernel, and wireshark). --------------------------------------------- https://lwn.net/Articles/766746/ ∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability Affects IBM WebSphere Portal (CVE-2018-1820) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732287 ∗∗∗ IBM Security Bulletin: Security Vulnerability in Apache Batik Affects IBM WebSphere Portal (CVE-2018-8013) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731435 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK Affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728567 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 7 & 8 Affect Transformation Extender ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10720173 ∗∗∗ IBM Security Bulletin: Open Redirect Vulnerability in IBM WebSphere Portal (CVE-2018-1736) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729683 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1716) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729323 ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732916 ∗∗∗ IBM Security Bulletin: Open Source Libvorbis, Patch and Python-paramiko vulnerabilities affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10729297 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1660) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10715923 ∗∗∗ IBM Security Bulletin: Publicly disclosed vulnerability from BIND affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10729637 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2018
by Daily end-of-shift report 25 Sep '18

25 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Montag 24-09-2018 18:00 − Dienstag 25-09-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android Trojan reads Whatsapp-Messages ∗∗∗ --------------------------------------------- A spyware still in development can read users Whatsapp-Messages and other sensitive data. G DATA researchers analysed the Malware to protect our customers. --------------------------------------------- https://www.gdatasoftware.com/blog/2018/09/31122-android-trojan-reads-whats… ∗∗∗ OpenPGP/GnuPG: Signaturen fälschen mit HTML und Bildern ∗∗∗ --------------------------------------------- PGP-Signaturen sollen gewährleisten, dass eine E-Mail tatsächlich vom korrekten Absender kommt. Mit einem simplen Trick kann man bei vielen Mailclients scheinbar signierte Nachrichten erstellen - indem man die entsprechende Anzeige mittels HTML fälscht. (OpenPGP, E-Mail) --------------------------------------------- https://www.golem.de/news/openpgp-gnupg-signaturen-faelschen-mit-html-und-b… ∗∗∗ Analyzing Encoded Shellcode with scdbg, (Mon, Sep 24th) ∗∗∗ --------------------------------------------- Reader Jason analyzed a malicious RTF file: using OfficeMalScanner and xorsearch he was able to extract and find the entry point of the shellcode, but scdbg was not able to emulate the shellcode. --------------------------------------------- https://isc.sans.edu/diary/rss/24134 ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Cisco Identity Services Engine ∗∗∗ --------------------------------------------- Cisco Identity Services Engine (ISE) contains the following vulnerabilities: Cisco ISE Authenticated Arbitrary Command Execution Vulnerability Cisco ISE Support Information Download Authentication Bypass Vulnerability These .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ∗∗∗ DSA-4305 strongswan - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4305 ∗∗∗ ZDI-18-1083: Apple Safari Array Concat Uninitialized Buffer Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1083/ ∗∗∗ ZDI-18-1082: Apple Safari Subframe Same-Origin Policy Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1082/ ∗∗∗ ZDI-18-1081: Apple Safari performProxyCall Internal Object Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1081/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2018
by Daily end-of-shift report 24 Sep '18

24 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-09-2018 18:00 − Montag 24-09-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware Disguised as Job Offers Distributed on Freelance Sites ∗∗∗ --------------------------------------------- Attackers are using freelance job sites such as fiverr and Freelancer to distribute malware disguised as job offers. These job offers contain attachments that pretends to be the job brief, but are actually .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-disguised-as-job-off… ∗∗∗ Security: Curl bekommt eigenes Bug-Bounty-Programm ∗∗∗ --------------------------------------------- Das kleine Kommandozeilenwerkzeug Curl und dessen Bibliothek finden sich in nahezu allen vernetzten Geräten. Sicherheitsforscher erhalten künftig eine Bug-Bounty, also Geld für das Auffinden von Sicherheitslücken in der .. --------------------------------------------- https://www.golem.de/news/security-curl-bekommt-eigenes-bug-bounty-programm… ∗∗∗ Adwind Dodges AV via DDE ∗∗∗ --------------------------------------------- Cisco Talos, along with fellow cybersecurity firm ReversingLabs, recently discovered a .. --------------------------------------------- https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html ∗∗∗ Security - Android: Immer mehr Hersteller liefern Sicherheits-Updates ∗∗∗ --------------------------------------------- Mittlerweile 250 Modelle mit Patch Level aus den letzten 90 Tagen – Google zahlt 3 Millionen Dollar für Bug Bounties --------------------------------------------- https://derstandard.at/2000087981052/Android-Immer-mehr-Hersteller-liefern-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Video Surveillance Manager Appliance Default Password Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms could allow an unauthenticated, remote .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DSA-4301 mediawiki - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4301 ∗∗∗ DSA-4302 openafs - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4302 ∗∗∗ ZDI-18-1079: Cisco WebEx Network Recording Player NMVC RtpConfig Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1079/ ∗∗∗ ZDI-18-1078: Cisco WebEx Network Recording Player NMVC RtpConfig Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1078/ ∗∗∗ Multiple vulnerabilities in Citrix StorageZones Controller ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-cit… ∗∗∗ Security vulnerabilities fixed in Firefox ESR 60.2.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-23/ ∗∗∗ Security vulnerabilities fixed in Firefox 62.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-22/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2018
by Daily end-of-shift report 21 Sep '18

21 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-09-2018 18:00 − Freitag 21-09-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Unwiped Drives and Servers from NCIX Retailer for Sale on Craigslist ∗∗∗ --------------------------------------------- Servers and storage disks filled with millions of unencrypted confidential records of employees, customers .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unwiped-drives-and-servers-f… ∗∗∗ Pre-Pwned AMI Images in Amazons AWS public instance store, (Fri, Sep 21st) ∗∗∗ --------------------------------------------- I keep getting reports about AMI images in Amazon&#;x26;#;39;s AWS, which come "pre-pwned." These images .. --------------------------------------------- https://isc.sans.edu/diary/rss/24126 ∗∗∗ AES Resulted in a $250-Billion Economic Benefit ∗∗∗ --------------------------------------------- NIST has released a new study concluding that the AES encryption standard has resulted in a $250-billion worldwide economic benefit over the past 20 years. I have no idea how to even begin to assess the quality of the .. --------------------------------------------- https://www.schneier.com/blog/archives/2018/09/aes_resulted_in.html ∗∗∗ DanaBot shifts its targeting to Europe, adds new features ∗∗∗ --------------------------------------------- Recently, we have spotted a surge in activity of DanaBot, a stealthy banking Trojan discovered earlier this year. The malware, first observed in campaigns targeting Australia and later Poland, has apparently .. --------------------------------------------- https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new… ∗∗∗ Cyber - USA und Großbritannien rüsten im Cyberspace auf ∗∗∗ --------------------------------------------- Größerer Fokus auf eigene Offensiven gegen Angreifer von außen --------------------------------------------- https://derstandard.at/2000087842532/USA-und-Grossbritannien-ruesten-im-Cyb… ===================== = Vulnerabilities = ===================== ∗∗∗ Tec4Data SmartCooler ∗∗∗ --------------------------------------------- This advisory includes mitigations for a missing authentication for critical function vulnerability in Tec4Datas SmartCooler, a cooling appliance. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-263-01 ∗∗∗ Rockwell Automation RSLinx Classic ∗∗∗ --------------------------------------------- This advisory includes mitigations for stack-based buffer overflow, heap-based buffer overflow, and resource exhaustion vulnerabilities in Rockwell Automation’s RSLinx Classic. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-263-02 ∗∗∗ Security Advisory 2018-05: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- https://community.otrs.com/security-advisory-2018-05-security-update-for-ot… ∗∗∗ Security Advisory 2018-04: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- https://community.otrs.com/security-advisory-2018-04-security-update-for-ot… ∗∗∗ Vuln: Microsoft Windows JET Database Engine Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/105376 ∗∗∗ Wireshark Bugs in Multiple Dissectors Let Remote Users Cause the Application to Crash or Consume Excessive CPU Resources ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041608 ∗∗∗ MediaWiki Multiple Flaws Let Remote Authenticated Users Bypass Security Restrictions and Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041695 ∗∗∗ Asterisk Stack Overflow in HTTP Websocket Upgrade Lets Remote Users Cause the Target Service to Crash ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041694 ∗∗∗ RSA Authentication Manager Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041697 ∗∗∗ HPESBST03881 rev.1 - HPE Command View Advanced Edition (CVAE), Local and Remote Access Restriction Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03879 rev.1 - HPE StorageWorks XP7 Automation Director (AutoDir), Local and Remote Authentication Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03882 rev.1 - HPE Command View Advance Edition (CVAE) using JDK, Local and Remote Authentication Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2018
by Daily end-of-shift report 20 Sep '18

20 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-09-2018 18:00 − Donnerstag 20-09-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hunderttausende Überwachungskameras wegen Linux-Schwachstelle angreifbar ∗∗∗ --------------------------------------------- Die Angreifer können die Aufzeichnungen live ansehen, Material löschen oder Videos in Dauerschleife abspielen, um Einbrüche zu verschleiern. --------------------------------------------- https://futurezone.at/digital-life/hunderttausende-ueberwachungskameras-weg… ∗∗∗ BSI veröffentlicht Übersicht qualifizierter DDoS-Mitigation-Dienstleister ∗∗∗ --------------------------------------------- Basierend auf den ebenfalls veröffentlichten Auswahlkriterien für qualifizierte Dienstleister wurde ein wettbewerbsneutrales Verfahren entwickelt, durch das erste geeignete DDoS-Mitigation-Dienstleister identifiziert werden konnten. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/DDos-Mitiga… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glusterfs, php5, reportbug, and suricata), openSUSE (chromium and exempi), Red Hat (openstack-rabbitmq-container), SUSE (couchdb, crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui, gdm, OpenStack, pango, and webkit2gtk3), and Ubuntu (bind9, lcms, lcms2, and lcms2). --------------------------------------------- https://lwn.net/Articles/765814/ ∗∗∗ Vuln: Symantec Messaging Gateway CVE-2018-12243 XML External Entity Injection Vulnerability ∗∗∗ --------------------------------------------- Symantec Messaging Gateway is prone to an XML External Entity injection vulnerability. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions. Versions prior to Messaging Gateway 10.6.6 are vulnerable --------------------------------------------- http://www.securityfocus.com/bid/105330 ∗∗∗ Vuln: Symantec Messaging Gateway CVE-2018-12242 Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- Symantec Messaging Gateway is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may lead to further attacks. Versions prior to Messaging Gateway 10.6.6 are vulnerable --------------------------------------------- http://www.securityfocus.com/bid/105329 ∗∗∗ Cisco Webex Network Recording Player Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Network Recording Player Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX Security Bulletin ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10730909 ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private Cloud Foundry (CVE-2018-11047) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731715 ∗∗∗ IBM Security Bulletin: Privilege escalation vulnerability affects IBM Db2 Administrative Task Scheduler (CVE-2018-1711). ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729983 ∗∗∗ IBM Security Bulletin: Buffer overflow in IBM Db2 tool db2licm (CVE-2018-1710). ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729981 ∗∗∗ IBM Security Bulletin: Privilege escalation in IBM Db2 tool db2cacpy (CVE-2018-1685). ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729979 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2018-0732) Security Bulletin ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731039 ∗∗∗ IBM Security Bulletin: IBM Cloud Private Cloud Foundry is vulnerable to a security vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731705 ∗∗∗ IBM Security Bulletin: Vulnerabilities in GSKit affect IBM Spectrum Scale used by DB2 pureScale (CVE-2018-1431, CVE-2018-1447, CVE-2017-3732, CVE-2016-0705) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731657 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2018
by Daily end-of-shift report 19 Sep '18

19 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-09-2018 18:00 − Mittwoch 19-09-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Western Digitals My Cloud NAS Devices Turn Out to Be Easily Hacked ∗∗∗ --------------------------------------------- Security researchers have discovered an authentication bypass vulnerability in Western Digitals My Cloud NAS devices that potentially allows an unauthenticated attacker to gain admin-level control to the affected devices. --------------------------------------------- https://thehackernews.com/2018/09/wd-my-cloud-nas-hacking.html ∗∗∗ XBash Malware Packs Double Punch: Destroys Data and Mines for Crypto Coins ∗∗∗ --------------------------------------------- It appears that on Windows, Xbash will focus on malicious cryptomining functions and self-propagation techniques, while on Linux systems, the malware will flaunt its data destructive tendencies; as the malware triggers a downloader to execute a coinminer on Windows, while on Linux it flaunts ransomware functions. --------------------------------------------- https://threatpost.com/xbash-malware-packs-double-punch-destroys-data-and-m… ∗∗∗ TIPs to Securely Deploy Industrial Control Systems ∗∗∗ --------------------------------------------- Schneider Electric has authored a whitepaper “Effective Implementation of Cybersecurity Countermeasures in Industrial Control Systems” that takes asset owners through the system deployment process. In this blog article, I will provide a brief overview of the concepts presented in the whitepaper. --------------------------------------------- https://blog.schneider-electric.com/cyber-security/2018/09/18/tips-to-secur… ∗∗∗ Fake finance apps on Google Play target users from around the world ∗∗∗ --------------------------------------------- Another set of fake finance apps has found its way into the official Google Play store. This time, the apps have impersonated six banks from New Zealand, Australia, the United Kingdom, Switzerland and Poland, and the Austrian cryptocurrency exchange Bitpanda. Using bogus forms, the malicious fakes phish for credit card details and/or login credentials to the impersonated legitimate services. --------------------------------------------- https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-tar… ∗∗∗ Multi-Vector WordPress Infection from Examhome ∗∗∗ --------------------------------------------- This September, we’ve been seeing a massive infection wave that injects malicious JavaScript code into .js, .php files and the WordPress database. --------------------------------------------- http://labs.sucuri.net/?note=2018-09-18 ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates available for Adobe Acrobat and Reader (APSB18-34) ∗∗∗ --------------------------------------------- Adobe has published security bulletin for Adobe Acrobat and Reader (APSB18-34) for Windows and MacOS. These updates address critical and important vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1617 ∗∗∗ BSRT-2018-003 Directory traversal vulnerability impacts the Connect Service of the BlackBerry Enterprise Mobility Server ∗∗∗ --------------------------------------------- This advisory addresses a directory traversal vulnerability that has been discovered in the Connect Service of the BlackBerry Enterprise Mobility Server (BEMS). BlackBerry is not aware of any exploitation of this vulnerability. Customer risk is limited ... --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Google Chrome, Chromium: Eine Schwachstelle ermöglicht nicht spezifizierte Angriffe ∗∗∗ --------------------------------------------- Ein Angreifer kann aufgrund einer Schwachstelle welche mit dem Schweregrad 'high' bewertet wird nicht weiter spezifizierte Angriffe ausführen. In der Vergangenheit konnten derartige Schwachstellen zumeist von einem entfernten und nicht authentisierten Angreifer ausgenutzt werden. Google stellt die Chrome und Chromium Version 69.0.3497.100 als Sicherheitsupdate bereit. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1886/ ∗∗∗ Xcode: Eine Schwachstelle ermöglicht die Übernahme des Systems ∗∗∗ --------------------------------------------- Ein lokaler, einfach authentifizierter Angreifer kann die Schwachstelle mit Hilfe einer speziell präparierten Anwendung ausnutzen, um beliebigen Programmcode mit Kernelprivilegien auszuführen und dadurch das komplette System zu übernehmen. Apple stellt Xcode 10 für macOS High Sierra 10.13.6 und später zur Behebung der Schwachstelle bereit. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1885/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium-browser and libapache2-mod-perl2), Oracle (kernel), and Ubuntu (ghostscript, glib2.0, and php5). --------------------------------------------- https://lwn.net/Articles/765573/ ∗∗∗ WECON PLC Editor ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-261-01 ∗∗∗ Vuln: Apache Camel CVE-2018-8041 Directory Traversal Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/105352 ∗∗∗ Security Advisory - Sensitive Information Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180919-… ∗∗∗ IBM Security Bulletin: Information Disclosure Security Vulnerability Affects IBM Sterling B2B Integrator (CVE-2018-1800) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731379 ∗∗∗ IBM Security Bulletin: Blind SQL injection vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (CVE-2018-1674) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10720035 ∗∗∗ IBM Security Bulletin: IBM Data Science Experience Local is affected by a cryptography vulnerability ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10720161 ∗∗∗ The BIG-IP ASM system may stop enforcing attack signatures after activating a security policy that includes a new signature ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83093212 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2018
by Daily end-of-shift report 18 Sep '18

18 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Montag 17-09-2018 18:00 − Dienstag 18-09-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Public Shaming of Companies for Bad Security ∗∗∗ --------------------------------------------- Troy Hunt makes some good points, with good examples. --------------------------------------------- https://www.schneier.com/blog/archives/2018/09/public_shaming_.html ∗∗∗ New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms ∗∗∗ --------------------------------------------- Palo Alto Network researchers discovered a new malware, tracked as XBash, that combines features from ransomware, cryptocurrency miners, botnets, and worms Security researchers at Palo Alto Networks have .. --------------------------------------------- https://securityaffairs.co/wordpress/76305/malware/xbash-malware.html ∗∗∗ Extended Validation Certificates are Dead ∗∗∗ --------------------------------------------- Thats it - Im calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from .. --------------------------------------------- https://www.troyhunt.com/extended-validation-certificates-are-dead/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory: CVE-2018-13982: Smarty 3.1.32 or below Trusted-Directory Bypass via Path Traversal ∗∗∗ --------------------------------------------- Smarty 3.1.32 or below is prone to a path traversal vulnerability due to insufficient sanitization of code in Smarty templates. This allows attackers controlling the Smarty template to bypass the trusted directory security restriction and read arbitrary files. Full security advisory --------------------------------------------- https://www.sba-research.org/2018/09/18/security-advisory-cve-2018-13982-sm… ∗∗∗ VMSA-2018-0015.1 ∗∗∗ --------------------------------------------- VMware AirWatch Agent updates resolve remote code execution vulnerability. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0015.html ∗∗∗ iOS 12 is out today - Updates for Safari, watchOS, tvOS, iOS. Full details here https://support.apple.com/en-ca/HT201222, (Tue, Sep 18th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/24112 ∗∗∗ IBM Security Bulletin: IBM Connections Security Refresh for Apache Struts Remote Code Execution (RCE) Vulnerability (CVE-2018-11776) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10731343 ∗∗∗ IBM Security Bulletin: IBM Cloud Manager with OpenStack is affected by a OpenSSL vulnerabilities (CVE-2018-0739) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10725849 ∗∗∗ Remote Code Execution in Moodle ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/remote-code-execution-php-un… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2018
by Daily end-of-shift report 17 Sep '18

17 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-09-2018 18:00 − Montag 17-09-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB18-34) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB18-34) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Wednesday, September 19, 2018. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1609 ∗∗∗ CSS-basierte Web-Attacke bringt iPhones zum Absturz ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine Schwachstelle in iOS entdeckt, mit der iPhones zum Absturz gebracht und neu gestartet werden können. --------------------------------------------- https://futurezone.at/digital-life/css-basierte-web-attacke-bringt-iphones-… ∗∗∗ Fbot, A Satori Related Botnet Using Block-chain DNS System ∗∗∗ --------------------------------------------- Since 2018-09-13 11:30 UTC, a new botnet (we call it Fbot) popped up in our radar which really caught our attention.There are 3 interesting aspects about this new botnet:First, so far the only purpose of this botnet looks to be just going after and removing another botnet --------------------------------------------- http://blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-i… ∗∗∗ Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows ∗∗∗ --------------------------------------------- Unit 42 researchers discover Xbash, a new malware family tied to the Iron Group targeting Linux and Microsoft Servers --------------------------------------------- https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-b… ∗∗∗ User Agent String "$ua.tools.random()" ? :-) ! ∗∗∗ --------------------------------------------- For many years I've observed requests for page license.php on my webservers, from various IPs and with various User Agent Strings: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/24102 ∗∗∗ Outdated Duplicator Plugin RCE Abused ∗∗∗ --------------------------------------------- We’re seeing an increase in the number of cases where attackers are disabling WordPress sites by removing or rewriting its wp-config.php file. These cases are all linked to the same vulnerable software: WordPress Duplicator Plugin. Versions lower than 1.2.42 of Snap Creek Duplicator plugin are vulnerable to a Remote Code Execution attack, where the malicious visitor is able to run any arbitrary code on the target site. --------------------------------------------- https://blog.sucuri.net/2018/09/outdated-duplicator-plugin-rce-abused.html ∗∗∗ Erlang Authenticated Remote Code Execution ∗∗∗ --------------------------------------------- Erlang is a programming language that I have tried to learn a few times in the past but never really dug in, that is, until recently.Erlange is an interesting language because it has “built-in concurrency, distribution, and fault tolerence”. To me, this means that it does job queing and distributed tasks right out of the gate. --------------------------------------------- https://malicious.link/post/2018/erlang-arce/ ∗∗∗ Bewerbungsschreiben verbreiten Schadsoftware ∗∗∗ --------------------------------------------- Unternehmen erhalten von Arbeitssuchenden elektronische Bewerbungsschreiben. Für die ausführlichen und angehängten Bewerbungsunterlagen der Kandidat/innen sollen sie einen Dateianhang im ZIP-Format öffnen. Er beinhaltet ausführbare Microsoft Windows-Anwendungen, die Schadsoftware sind. Diese Anwendungen dürfen Mitarbeiter/innen nicht öffnen, denn damit installieren sie die Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/bewerbungsschreiben-verbreiten-schad… ∗∗∗ gymondi.com ist ein Fakeshop ∗∗∗ --------------------------------------------- Gymondi.com ist ein sehr aufwendig aufgesetzter Onlineshop, der das Herz von Sportler/innen höherschlagen lässt. Konsument/innen finden bei gymondi.com Fitnessgeräte zu günstigeren Preisen als bei der Konkurrenz. Zusätzlich zum Preisvorteil kann ein 20% Rabattgutschein eingelöst werden, was den Gesamtpreis erheblich mindert. Wir raten von einem Einkauf ab! Sie werden lediglich um einen hohen Geldbetrag betrogen und gehen leer aus. --------------------------------------------- https://www.watchlist-internet.at/news/gymondicom-ist-ein-fakeshop/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (discount, ghostscript, intel-microcode, mbedtls, thunderbird, and zutils), Fedora (ghostscript, java-1.8.0-openjdk-aarch32, kernel-headers, kernel-tools, libzypp, matrix-synapse, nspr, nss, nss-softokn, nss-util, zsh, and zypper), Mageia (kernel, kernel-linus, and kernel-tmb), openSUSE (chromium, curl, ffmpeg-4, GraphicsMagick, kernel, libzypp, zypper, okular, python3, spice-gtk, tomcat, and zsh), Oracle (kernel), Slackware (php), SUSE (curl, [...] --------------------------------------------- https://lwn.net/Articles/765048/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - September 2018 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Moodle: Mehrere Schwachstellen ermöglichen u. a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1871/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily September 2018