Daily September 2019

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 30.09.2019
by Daily end-of-shift report 30 Sep '19

30 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-09-2019 18:00 − Montag 30-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Angreifer können verschlüsselte PDF-Daten leaken ∗∗∗ --------------------------------------------- Passwortgeschützte PDF-Dateien bieten wenig Sicherheit. Ein Angreifer, der die Dateien manipulieren kann, kann dafür sorgen, dass deren Inhalt geleakt wird. Abhilfe gibt es nicht, dafür müsste das Dateiformat geändert werden. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-angreifer-koennen-verschluessel… ∗∗∗ Kriminelle nützen Thomas Cook Insolvenz für Phishing-Attacken ∗∗∗ --------------------------------------------- Die Insolvenz von Thomas Cook und Neckermann Reisen ist momentan in aller Munde. Betroffene KonsumentInnen gelangten nun ins Visier Krimineller. In betrügerischen Phishing-Mails werden sie aufgefordert, Kreditkartendaten und Ausweise zu übermitteln, um ihr Geld zurückzuerhalten. Die E-Mails stammen nicht von Thomas Cook und müssen ignoriert werden! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-nuetzen-thomas-cook-insol… ∗∗∗ Masad Spyware Uses Telegram Bots for Command-and-Control ∗∗∗ --------------------------------------------- The malware harvests data, steals cryptocurrency and drops additional malware, while masquerading as a Fortnite aimbot and more. --------------------------------------------- https://threatpost.com/masad-spyware-telegram-bots/148759/ ∗∗∗ European Cybersecurity Month 2019 is launched ∗∗∗ --------------------------------------------- October marks the kick-off of the European Cybersecurity Month (ECSM), coordinated by the European Union Agency for Cybersecurity (ENISA), the European Commission and supported by the Member States. This campaign will focus on expanding awareness about cybersecurity to citizens across Europe. --------------------------------------------- https://www.enisa.europa.eu/news/european-cybersecurity-month-2019-is-launc… ∗∗∗ Malvertiser eGobbler Exploits Chrome & WebKit Bugs, Infects Over 1 Billion Ads ∗∗∗ --------------------------------------------- We have written about the threat actor eGobbler extensively on our blog over the last year as they’ve continued to emerge as a prolific source of malvertising. [...] Over the past 6 months, the threat group has leveraged obscure browser bugs in order to engineer bypasses for built-in browser mitigations against pop-ups and forced redirections. --------------------------------------------- https://blog.confiant.com/malvertiser-egobbler-exploits-chrome-webkit-bugs-… ∗∗∗ Cisco führt halbjährlichen Patchday ein ∗∗∗ --------------------------------------------- Ab sofort will Cisco alle sechs Monate gesammelte Sicherheitsupdates für sein Netzwerkbetriebssysteme IOS und IOS XE veröffentlichen. --------------------------------------------- https://heise.de/-4542793 ===================== = Vulnerabilities = ===================== ∗∗∗ MS-ISAC Releases Advisory on PHP Vulnerability ∗∗∗ --------------------------------------------- Original release date: September 27, 2019The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on a vulnerability in Hypertext Preprocessor (PHP). An attacker could exploit this vulnerability to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/27/ms-isac-releases-a… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dovecot, kernel, and qemu-kvm), Debian (cimg, cups, e2fsprogs, exim4, file-roller, golang-1.11, httpie, and wpa), Fedora (curl, ghostscript, ibus, krb5, mod_md, and nbdkit), Mageia (chromium-browser-stable, libheif, and nghttp2), openSUSE (djvulibre, expat, libopenmpt, mosquitto, phpMyAdmin, and webkit2gtk3), Red Hat (nodejs:10), SUSE (gpg2), and Ubuntu (e2fsprogs and exim4). --------------------------------------------- https://lwn.net/Articles/800915/ ∗∗∗ Exim 4.92.3 security release ∗∗∗ --------------------------------------------- Exim 4.92.3 has been released with a fix for CVE-2019-16928, a heap-basedbuffer overflow in string_vformat that could lead to remote codeexecution. "The currently known exploit uses a extraordinary longEHLO string to crash the Exim process that is receiving the message. Whileat this mode of operation Exim already dropped its privileges, other paths toreach the vulnerable code may exist." --------------------------------------------- https://lwn.net/Articles/800917/ ∗∗∗ xpdf: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0857 ∗∗∗ LibreOffice: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0856 ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190930-… ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect the Report Builder that is shipped with Jazz Reporting Service (CVE-2019-4494, CVE-2019-4495, CVE-2019-4497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Vulnerabilities in kernel affect Power Hardware Management Console (CVE-2019-11479,CVE-2019-11477 and CVE-2019-11478) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ke… ∗∗∗ IBM Security Bulletin: Potential denial of service vulnerability in WebSphere Application Server can affect IBM SPSS Analytic Server (CVE-2019-4046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-denial-of-s… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Apache HTTP Server affect Rational Build Forge (CVE-2019-9517, CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Build Forge (CVE-2019-4473; CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Daeja ViewONE Virtual may expose internal IP addresses (CVE-2019-4246) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-daeja-viewone-virtual… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2019
by Daily end-of-shift report 27 Sep '19

27 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-09-2019 18:00 − Freitag 27-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Adobe and Google Open Redirects Abused by Phishing Campaigns ∗∗∗ --------------------------------------------- Google and Adobe open redirects are being used by phishing campaigns in order to add legitimacy to the URLs used in the spam emails. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-and-google-open-redire… ∗∗∗ Digital Canaries in a Coal Mine: Detecting Enumeration with DNS and AD ∗∗∗ --------------------------------------------- A fundamental part of any network is the Domain Name Service (DNS). Adversaries will likely want to enumerate computers in Active Directory and connect to them, and at some point, they will likely interact with DNS doing so. A simple example is attempting to access a remote share and the resulting DNS query. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/digital-can… ∗∗∗ Researchers Disclose Another SIM Card Attack Possibly Impacting Millions ∗∗∗ --------------------------------------------- A new variant of a recently disclosed SIM card attack method could expose millions of mobile phones to remote hacking, researchers have warned. --------------------------------------------- https://www.securityweek.com/researchers-disclose-another-sim-card-attack-p… ∗∗∗ So schützen Sie sich effektiv vor Schadsoftware! ∗∗∗ --------------------------------------------- Auf dubiosen Websites, in betrügerischen E-Mails oder in scheinbar harmlosen Chat-Nachrichten kann sich Schadsoftware verstecken. Diese verseuchten Dateien dürfen nicht ausgeführt werden, da sie ansonsten das Smartphone, den Computer oder das Netzwerk infizieren. Kriminelle können so beispielsweise sensible Daten auslesen und stehlen, Rechenleistung abzweigen oder ganze Systeme lahmlegen bis eine Kaution bezahlt wird. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-effektiv-vor-s… ∗∗∗ Microsoft: New Nodersok malware has infected thousands of PCs ∗∗∗ --------------------------------------------- New Nodersok malware installs Node.js to turn systems into proxies, perform click-fraud. --------------------------------------------- https://www.zdnet.com/article/microsoft-new-nodersok-malware-has-infected-t… ∗∗∗ Hit by ransomware? Victims of these four types of file-encrypting malware can now retrieve their files for free ∗∗∗ --------------------------------------------- Cybersecurity researchers crack the codes of FortuneCrypt, Yatron, WannaCryFake and Avest ransomware, allowing victims to get their files back without paying cyber criminals. --------------------------------------------- https://www.zdnet.com/article/hit-by-ransomware-victims-of-these-four-types… ∗∗∗ New WhiteShadow downloader uses Microsoft SQL to retrieve malware ∗∗∗ --------------------------------------------- https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloade… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 27, 2019Apple has released security updates to address a vulnerability in multiple products. A remote attacker could exploit this vulnerability to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: macOS Mojave 10.14.6 Supplemental Update 2, Security Update 2019-005 High Sierra, and [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/27/apple-releases-sec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dcmtk), openSUSE (rust), Red Hat (redhat-virtualization-host), and SUSE (ghostscript, nghttp2, and u-boot). --------------------------------------------- https://lwn.net/Articles/800699/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerabilities Affect IBM Sterling File Gateway (CVE-2019-4423, CVE-2019-4280) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerabilities Affect IBM Sterling File Gateway (CVE-2019-4423, CVE-2019-4280) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect GCM16 & GCM32 KVM Switch Firmware (CVE-2018-0734, CVE-2018-0737, CVE-2018-0739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-op… ∗∗∗ HPESBGN03957 rev.1 - HPE Oneview for VMware vCenter, Remote Cross-Site Scripting ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2019
by Daily end-of-shift report 26 Sep '19

26 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-09-2019 18:00 − Donnerstag 26-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forensoftware vBulletin: Patch schließt kritische Zero-Day-Lücke ∗∗∗ --------------------------------------------- Die Entwickler von vBulletin haben Patches bereitgestellt, die eine als kritisch eingestufte Sicherheitslücke schließen. Forenbetreiber sollten jetzt handeln. --------------------------------------------- https://heise.de/-4539833 ∗∗∗ BSI stellt Service-Paket "IT-Notfall" für kleine und mittlere Unternehmen vor ∗∗∗ --------------------------------------------- Eine Notfallkarte zum Aushängen und ein neuer Maßnahmenkatalog für Sicherheitsverantwortliche sollen KMU helfen, mit Cyber-Bedrohungen besser umzugehen. --------------------------------------------- https://heise.de/-4540075 ∗∗∗ Hackers Replace Windows Narrator to Get SYSTEM Level Access ∗∗∗ --------------------------------------------- Chinese hackers are replacing the legitimate Narrator app on targeted Windows systems with a trojanized version that gives them remote access with privileges of the most powerful account on the operating system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-replace-windows-narr… ∗∗∗ Ransomware Decryptors Released for Yatron, WannaCryFake, & FortuneCrypt ∗∗∗ --------------------------------------------- Security vendors released decryptors for three ransomware infections today that allow victims to recover their files for free. These decryptors are for the WannaCryFake, Yatron, and FortuneCrypt Ransomware infections. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-decryptors-releas… ∗∗∗ Windows‌ ‌Exploitation‌ ‌Tricks:‌ ‌Spoofing‌ ‌Named‌ ‌Pipe‌ ‌Client‌ ‌PID‌ ∗∗∗ --------------------------------------------- Posted by James Forshaw, Project ZeroWhile researching the Access Mode Mismatch in IO Manager bug class I came across an interesting feature in named pipes which allows a server to query the connected clients PID. This feature was introduced in Vista and is exposed to servers through the GetNamedPipeClientProcessId API, pass the API a handle to the pipe server and you’ll get back the PID of the connected client. --------------------------------------------- https://googleprojectzero.blogspot.com/2019/09/windows-exploitation-tricks-… ∗∗∗ Joomla! Security Best Practices: 12 Ways to Keep Joomla! Secure ∗∗∗ --------------------------------------------- At Sucuri, we’re often asked how website owners and webmasters can secure their websites. However, most advice can often be too broad; different content management systems (CMS) exist in this ecosystem, and each requires a unique security configuration. --------------------------------------------- https://blog.sucuri.net/2019/09/joomla-security-best-practices.html ∗∗∗ Hackers looking into injecting card stealing code on routers, rather than websites ∗∗∗ --------------------------------------------- Magecart (web skimming) attacks are evolving into a direction where theyre gonna be harder and harder to detect. --------------------------------------------- https://www.zdnet.com/article/hackers-looking-into-injecting-card-stealing-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Releases Security Advisories ∗∗∗ --------------------------------------------- Original release date: September 26, 2019Cisco has released security updates to address vulnerabilities affecting multiple Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Cisco Security Advisories page and apply the necessary updates. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/26/cisco-releases-sec… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dovecot), Debian (lemonldap-ng, openssl, and ruby-nokogiri), openSUSE (fish3, ibus, nmap, and openssl-1_1), Slackware (mozilla), SUSE (mariadb, python-numpy, and SDL2), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/800647/ ∗∗∗ Multiple Vulnerabilities in Citrix License Server for Windows and VPX ∗∗∗ --------------------------------------------- CTX261963 NewApplicable Products : LicensingMultiple Denial-of-Service vulnerabilities have been identified in Citrix License Server for Windows and VPX that, when exploited, could result in an attacker being able to force the vendor service to shutdown. --------------------------------------------- https://support.citrix.com/article/CTX261963 ∗∗∗ BlackBerry Powered by Android Security Bulletin - September 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Gutenberg - Critical - Access bypass - SA-CONTRIB-2019-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-069 ∗∗∗ Permissions by Term - Moderately critical - Access bypass - SA-CONTRIB-2019-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-068 ∗∗∗ IBM Security Bulletin: Linux kernel as used by IBM QRadar SIEM is vulnerable to privilege escalation(Publicly disclosed vulnerability) (CVE-2019-3896) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-as-used-… ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to a denial of service attack caused by a memory leak in the clustering code. (CVE-2019-4141) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-and-ibm-mq-app… ∗∗∗ IBM Security Bulletin: There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7, Version 8, that is used by IBM Workload Scheduler. These issues were disclosed as part of the IBM Java SDK updates in October 2018 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-there-are-multiple-vu… ∗∗∗ Multiple SQL Injection Vulnerabilities in eBrigade ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-sql-injection-vulnerabi… ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0840 ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0838 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2019
by Daily end-of-shift report 25 Sep '19

25 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-09-2019 18:00 − Mittwoch 25-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ vBulletin Zero-Day Exploited for Years, Gets Unofficial Patch ∗∗∗ --------------------------------------------- A zero-day exploit for the vBulletin forum platform was publicly disclosed and quickly used to attack affected versions of the forum software. It turns out, though, that this exploit has been known, utilized, and sold by researchers and attackers for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vbulletin-zero-day-exploited… ∗∗∗ Free Decryptors Released for Two Ransomware Families ∗∗∗ --------------------------------------------- Security researchers have released decryption tools which victims of two different ransomware families can use to recover their files for free. On 25 September, Kaspersky Lab unveiled decryptors for both the Yatron and FortuneCrypt crypto-ransomware families. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/free-de… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 25, 2019Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit one of these vulnerabilities to obtain access to sensitive information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/09/25/apple-releases-sec… ∗∗∗ Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected device to reload unexpectedly, resulting in a denial of service (DoS) condition. It is also possible on certain software releases that the ASA will not reload, but an attacker could view sensitive system information without authentication by using directory traversal techniques. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2019-0015 ∗∗∗ --------------------------------------------- VMware Cloud Foundation and VMware Harbor Container Registry for PCF address remote escalation of privilege vulnerability (CVE-2019-16097) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0015.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libgcrypt20, and spip), Fedora (compat-openssl10, expat, ghostscript, ibus, java-1.8.0-openjdk-aarch32, and SDL2_image), openSUSE (bird, chromium, kernel, libreoffice, links, and varnish), Oracle (httpd:2.4 and qemu-kvm), Red Hat (kernel), Scientific Linux (qemu-kvm), SUSE (djvulibre, dovecot22, ghostscript, kernel, libxml2, and python-Twisted), and Ubuntu (file-roller and libreoffice). --------------------------------------------- https://lwn.net/Articles/800553/ ∗∗∗ [20190901] - Core - XSS in logo parameter of default templates ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/PO-TPPu7rQ0/791-20190901-c… ∗∗∗ SBA-ADV-20190911-01: Easy FancyBox Wordpress Plugin Stored Cross-site Scripting (XSS) ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/9000d9bfd120a1b8f5f1643e5f… ∗∗∗ Security Advisory - Two Integer overflow Vulnerabilities in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Out-of-bounds Read Vulnerability in Gauss100 OLTP Database of Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Improper Validation Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Insufficient Verification Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ Security Advisory - Insufficient Verification Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190925-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Linux Kernel as used in IBM QRadar Network Packet Capture is vulnerable to denial of service (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-linux-kernel-as-used-… ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance command server is vulnerable to a denial of service attack caused by specially crafted PCF messages (CVE-2019-4378) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-and-ibm-mq-app… ∗∗∗ IBM Security Bulletin: Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2019-10241, CVE-2019-10246 & CVE-2019-10247) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-java-vulnerability-af… ∗∗∗ IBM Security Bulletin: Clickjacking vulnerability in WebSphere Application Server Liberty Admin Center in IBM Cloud (CVE-2019-4285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-clickjacking-vulnerab… ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Server Side Request Forgery (CVE-2019-4262) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vu… ∗∗∗ IBM Security Bulletin:IBM Security Identity Adapters has released a fix in response to the OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletinibm-security-identity-… ∗∗∗ BIG-IQ services for stats vulnerability CVE-2019-6652 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23101430 ∗∗∗ BIG-IP APM Edge Client logging vulnerability CVE-2019-6656 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23876153 ∗∗∗ BIG-IP Analytics vulnerability CVE-2019-6655 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31152411 ∗∗∗ Martian address filtering vulnerability CVE-2019-6654 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K45644893 ∗∗∗ BIG-IQ vulnerability CVE-2019-6653 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71712132 ∗∗∗ REST Framework vulnerability CVE-2019-6651 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K89509323 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2019
by Daily end-of-shift report 24 Sep '19

24 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 23-09-2019 18:00 − Dienstag 24-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MITRE ATT&CK vulnerability spotlight: Access token manipulation ∗∗∗ --------------------------------------------- MITRE is a U.S. government federally-funded research and development center (FFRDC) which performs a large amount of research and assessment as a trusted third party for the government. One of their research areas is cybersecurity, and they have developed the MITRE ATT&CK matrix to help with research and education about cybersecurity threats. --------------------------------------------- https://resources.infosecinstitute.com/mitre-attck-access-token-manipulatio… ∗∗∗ Huge Amount of remotewebaccess.com Sites Found in Certificate Transparency Logs ∗∗∗ --------------------------------------------- Im keeping an eye on the certificate transparency logs[1] using automated scripts. The goal is to track domain names (and their variations) of my customers, sensitive services in Belgium, key Internet players and some interesting keywords. Yesterday I detected a peak of events related to the domain remotewebaccess.com. --------------------------------------------- https://isc.sans.edu/forums/diary/Huge+Amount+of+remotewebaccesscom+Sites+F… ∗∗∗ E-Mail der Chaos-Hacking-Gruppe ignorieren ∗∗∗ --------------------------------------------- Angeblich hat sich die Chaos-Hacking-Gruppe in Ihr E-Mail-Konto und Betriebssystem gehackt und Ihr Surfverhalten drei Monate lang beobachtet. Die Kriminellen behaupten, Sie beim Surfen auf Porno-Seiten erwischt und bei intimen Handlungen gefilmt zu haben. Damit das Video über Sie nicht an all Ihre Kontakte gesendet wird, fordern die Hacker eine Überweisung von 2.000 Euro in Form von Bitcoins. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-der-chaos-hacking-gruppe-igno… ∗∗∗ No summer vacations for Zebrocy ∗∗∗ --------------------------------------------- ESET researchers describe the latest components used in a recent Sednit campaign The post No summer vacations for Zebrocy appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates Available for ColdFusion (APSB19-47) ∗∗∗ --------------------------------------------- Adobe has published a Security Bulletin (APSB19-47) for ColdFusion versions 2018 and 2016. These updates resolve two critical and one moderate vulnerability that could lead to arbitrary code execution and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1789 ∗∗∗ Notfallpatch: Attacken gegen Internet Explorer ∗∗∗ --------------------------------------------- Ein Update schließt eine kritische Lücke im Internet Explorer – es ist aber noch nicht über Windows Update verfügbar. Auch Windows Defender bekommt einen Patch. --------------------------------------------- https://heise.de/-4537525 ∗∗∗ Zero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild ∗∗∗ --------------------------------------------- Description: XSS Via Unauthenticated Plugin Options Update Affected Plugin: Rich Reviews Affected Versions: [...] --------------------------------------------- https://www.wordfence.com/blog/2019/09/rich-reviews-plugin-vulnerability-ex… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php5), Fedora (blis, kernel, and kernel-headers), openSUSE (bird, curl, fish3, ghostscript, ibus, kernel, libgcrypt, openldap2, openssl-1_1, skopeo, and util-linux and shadow), Oracle (dovecot and kernel), Red Hat (dovecot, httpd:2.4, qemu-kvm, and redhat-virtualization-host), Scientific Linux (dovecot), SUSE (djvulibre, expat, firefox, libopenmpt, and rust), and Ubuntu (ibus and Mosquitto). --------------------------------------------- https://lwn.net/Articles/800448/ ∗∗∗ IBM Security Bulletin: IBM Content Navigator is affected by a vulnerability in Apache Commons Compress (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-content-navigator… ∗∗∗ IBM Security Bulletin: IBM Cloud Private for Data is affected by a vulnerability in Go Language (CVE-2019-6486) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-private-for… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2019
by Daily end-of-shift report 23 Sep '19

23 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-09-2019 18:00 − Montag 23-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zunahme von erfolgreichen Cyber-Angriffen mit Emotet – BSI rät zu Schutzmaßnahmen ∗∗∗ --------------------------------------------- Cyber-Angriffe mit der Schadsoftware Emotet haben in den vergangenen Tagen erhebliche Schäden in der deutschen Wirtschaft, aber auch bei Behörden und Organisationen verursacht. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt daher erneut eindringlich vor dieser Schadsoftware und gibt ausführliche Hinweise zum Schutz vor Emotet. Auch Privatanwender stehen im Fokus der Angreifer. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Emotet-Warn… ∗∗∗ Meet Stop Ransomware: The Most Active Ransomware Nobody Talks About ∗∗∗ --------------------------------------------- Have you ever heard of the STOP Ransomware? Probably not, as few write about it, most researchers dont cover it, and for the most part it targets consumers through cracked software, adware bundles, and shady sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-stop-ransomware-the-mos… ∗∗∗ What you should know about Ryuk ransomware ∗∗∗ --------------------------------------------- The ransomware called Ryuk has established ransomware as a lucrative enterprise product. This sentence may sound provocative, as it is treating cybercriminals like businesspeople, but this is what Ryuk is about - making money. This strain of ransomware is estimated by Crowdstrike to have made the gang behind it over $3.7 million USD since [...] --------------------------------------------- https://resources.infosecinstitute.com/what-you-should-know-about-ryuk-rans… ∗∗∗ Hello! My name is Dtrack ∗∗∗ --------------------------------------------- When we first discovered ATMDtrack, we thought we were just looking at another ATM malware family. Now we can add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack. --------------------------------------------- https://securelist.com/my-name-is-dtrack/93338/ ∗∗∗ YARA XOR Strings: an Update, (Sun, Sep 22nd) ∗∗∗ --------------------------------------------- Almost a year ago, I reported on a new feature in YARA version 3.8.0: YARA XOR Strings. The new YARA xor keyword allows for the search of strings that are XOR-encoded with a one-byte key. --------------------------------------------- https://isc.sans.edu/diary/rss/25346 ∗∗∗ Bereit für NISG & NISV? – Anforderungen an den Umgang mit Sicherheitsvorfällen ∗∗∗ --------------------------------------------- Es ist so weit - Österreich hat mit dem Beschluss der Netz- und Informationssystemsicherheitsverordnung (NISV) nun konkrete Netzwerk- und Informationssicherheitsanforderungen für Anbietern wesentlicher Dienste i.S.d. Netz- und Informationssystemsicherheitsgesetz (NISG) festgelegt. --------------------------------------------- https://www.sec-consult.com/blog/2019/09/bereit-fuer-nisg-nisv-anforderunge… ∗∗∗ Dear network operators, please use the existing tools to fix security ∗∗∗ --------------------------------------------- The internets security and stability would be significantly improved if network operators implemented protocols that were already written into technical standards and if vendors provided better tools for fixing security. --------------------------------------------- https://www.zdnet.com/article/dear-network-operators-please-use-the-existin… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Jira Server und Data Center vor Schadcode-Attacken gefährdet ∗∗∗ --------------------------------------------- Verschiedene Software von Jira ist über kritische Sicherheitslücken attackierbar. Angreifer könnten die Kontrolle über Server übernehmen. --------------------------------------------- https://heise.de/-4536050 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, php-pecl-http, and php7.0), Fedora (ImageMagick, jackson-annotations, jackson-bom, jackson-core, jackson-databind, and rubygem-rmagick), Mageia (chromium-browser-stable, ibus, kernel, samba, and thunderbird), openSUSE (chromium), Oracle (dovecot and kernel), Red Hat (dbus, kernel, kernel-alt, and kpatch-patch), Scientific Linux (dovecot and kernel), and SUSE (expat, ibus, kernel, kernel-source-rt, nmap, openssl, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/800377/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190921-… ∗∗∗ Security Advisory - Race Condition Vulnerability on Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190911-… ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager stores password in clear text (CVE-2019-4566) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: Apache Commons Compress vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-commons-compre… ∗∗∗ IBM Security Bulletin: Node.js vulnerabilities affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-node-js-vulnerabiliti… ∗∗∗ IBM Security Bulletin: Clickjacking vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-clickjacking-vulnerab… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-2684, CVE-2019-4473, CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2019
by Daily end-of-shift report 20 Sep '19

20 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-09-2019 18:00 − Freitag 20-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forcepoint Fixes Privilege Escalation Bug in Windows VPN Client ∗∗∗ --------------------------------------------- A vulnerability affecting all versions of Forcepoint VPN Client for Windows, save the latest release, can be used to achieve persistence and evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/forcepoint-fixes-privilege-e… ∗∗∗ Fake SSO Used In Multi-Email Provider Phishing ∗∗∗ --------------------------------------------- Single sign-on (SSO) allows users to sign into a single account (e.g Google) and access other services like YouTube or Gmail without authenticating with a separate username and password. This feature also extends to third party services such as the popular Dropbox file sharing application, which offers users the option to access their account using Google’s authentication from their sign in page. Malicious Pages Mimic Popular Login Workflows [...] --------------------------------------------- https://blog.sucuri.net/2019/09/fake-sso-used-in-multi-email-provider-phish… ∗∗∗ Blacklisting or Whitelisting in the Right Way ∗∗∗ --------------------------------------------- Its Friday today, Id like to talk about something else. Black (or white) lists are everywhere today. Many security tools implement a way to allow/deny accesses or actions on resources based on "lists" bsides the automated processing of data. The approach to implement them is quite different: --------------------------------------------- https://isc.sans.edu/forums/diary/Blacklisting+or+Whitelisting+in+the+Right… ∗∗∗ Wenn Instagram- und Facebook-Freunde nach der Handynummer fragen ∗∗∗ --------------------------------------------- Zahlreiche NutzerInnen berichten derzeit, dass sie von FreundInnen über den Instagram-Chat oder den Facebook-Messenger nach ihrer Handynummer gefragt werden. Anschließend wird noch nach einem 4-stelligen PIN Code gefragt. Achtung! Hier schreiben nicht die FreundInnen. Deren Zugang wurde gehackt. Kriminelle versuchen so, ein kostenpflichtiges Abo abzuschließen. --------------------------------------------- https://www.watchlist-internet.at/news/wenn-instagram-und-facebook-freunde-… ===================== = Vulnerabilities = ===================== ∗∗∗ Tridium Niagara ∗∗∗ --------------------------------------------- This advisory contains mitigations for information exposure and improper authorization vulnerabilities in Tridiums Niagara business application framework software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-262-01 ∗∗∗ WECON LeviStudioU (Update A) ∗∗∗ --------------------------------------------- WECON has produced Version 1.8.69 to fix the reported vulnerabilities in Version 1.8.56; however, exploits are still successful against this updated version. --------------------------------------------- https://www.us-cert.gov/ics/advisories/ICSA-19-036-03 ∗∗∗ VMSA-2019-0014 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities. (CVE-2019-5527, CVE-2019-5535) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0014.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bird, opendmarc, php7.3, and qemu), Fedora (bird, dino, nbdkit, and openconnect), Oracle (nginx:1.14, patch, and thunderbird), Red Hat (dovecot, kernel, kernel-alt, and kernel-rt), Scientific Linux (thunderbird), and SUSE (kernel, openssl, openssl-1_1, python-SQLAlchemy, and python-Werkzeug). --------------------------------------------- https://lwn.net/Articles/800149/ ∗∗∗ Western Digital My Book World II NAS 1.02.12 Hardcoded Credential ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019090130 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is affected by Cross-Site Request Forgery (CVE-2019-4515 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Synthetic Playback Agent 8.1.4 is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-synthetic-playback-ag… ∗∗∗ IBM Security Bulletin: Synthetic Playback Agent 8.1.4.x is affected by multiple vulnerabilities of Mozilla Firefox ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-synthetic-playback-ag… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2019
by Daily end-of-shift report 19 Sep '19

19 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-09-2019 18:00 − Donnerstag 19-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Human Verification Spam ∗∗∗ --------------------------------------------- We recently released an update to our Labs Knowledgebase for new plugins that had been targeted during the month of July 2019. One of these newly targeted plugins was Advanced Booking Calendar — and it didn’t take long before we were receiving clean up requests for websites that had already been exploited through this plugin. --------------------------------------------- https://blog.sucuri.net/2019/09/fake-human-verification-spam.html ∗∗∗ Agent Tesla Trojan Abusing Corporate Email Accounts ∗∗∗ --------------------------------------------- The trojan Agent Tesla is not brand new, discovered in 2018, it is written in VisualBasic and has plenty of interesting features. Just have a look at the MITRE ATT&CK overview of its TTP[1]. --------------------------------------------- https://isc.sans.edu/forums/diary/Agent+Tesla+Trojan+Abusing+Corporate+Emai… ∗∗∗ Shhmon — Silencing Sysmon via Driver Unload ∗∗∗ --------------------------------------------- https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Lücke erlaubt Root-Zugriff auf D-Link-NAS DNS-320 ∗∗∗ --------------------------------------------- Ein Update schließt eine Schwachstelle mit Höchstwertung im Netzwerkspeicher DNS-320 von D-Link. --------------------------------------------- https://heise.de/-4533707 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (exiv2, firefox, ghostscript, http-parser, httpd, kdelibs and kde-settings, kernel, pango, qemu-kvm, and thunderbird), Debian (ibus), Fedora (kernel, kernel-headers, python34, qbittorrent, and samba), openSUSE (chromium), Oracle (go-toolset:ol8), Red Hat (kernel, nginx:1.14, patch, ruby, skydive, systemd, and thunderbird), Scientific Linux (thunderbird), SUSE (libreoffice, openssl-1_1, python-urllib3, and python-Werkzeug), and Ubuntu (tomcat9 and wpa, [...] --------------------------------------------- https://lwn.net/Articles/799971/ ∗∗∗ Critical Vulnerability in Harbor Enables Privilege Escalation from Zero to Admin (CVE-2019-16097) ∗∗∗ --------------------------------------------- Aviv Sasson, a security researcher from the cloud division of Unit 42, has identified a critical vulnerability in a widespread cloud native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The maintainers of Harbor released a patch that closes this critical security hole. --------------------------------------------- https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enable… ∗∗∗ TableField - Moderately critical - Access bypass - SA-CONTRIB-2019-067 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-067 ∗∗∗ Create user permission - Critical - Access bypass - SA-CONTRIB-2019-066 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-066 ∗∗∗ Kubernetes: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0826 ∗∗∗ Cisco HyperFlex Software Counter Value Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco HyperFlex Software Cross-Frame Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei CloudEngine Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190918-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Security QRadar Packet Capture is vulnerable to Denial of Service (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-3896) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-qradar-p… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms July 2019 CPU (CVE-2019-2816, CVE-2019-11771, CVE-2019-4473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager July 2019 CPU (CVE-2019-2816, CVE-2019-11771, CVE-2019-4473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime Affect IBM Sterling Connect:Direct File Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system and Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs CVE-2019-4473 and CVE-2019-11771 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-eclipse-openj9-could-… ∗∗∗ IBM Security Bulletin: Node.js as used in IBM QRadar Packet Capture is vulnerable to the following CVE’s (CVE-2019-1559, CVE-2019-5737, CVE-2019-5739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-node-js-as-used-in-ib… ∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2018-0732, CVE-2018-0734, CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-affects… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2019
by Daily end-of-shift report 18 Sep '19

18 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-09-2019 18:00 − Mittwoch 18-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Warning: Researcher Drops phpMyAdmin Zero-Day Affecting All Versions ∗∗∗ --------------------------------------------- A cybersecurity researcher recently published details and proof-of-concept for an unpatched zero-day vulnerability in phpMyAdmin—one of the most popular applications for managing the MySQL and MariaDB databases. --------------------------------------------- https://thehackernews.com/2019/09/phpmyadmin-csrf-exploit.html ∗∗∗ Clever New DDoS Attack Gets a Lot of Bang for a Hackers Buck ∗∗∗ --------------------------------------------- By exploiting the WS-Discovery protocol, a new breed of DDoS attack can get a huge rate of return. --------------------------------------------- https://www.wired.com/story/ddos-attack-ws-discovery ∗∗∗ FAQ: Emotet (bei Heise) ∗∗∗ --------------------------------------------- Seit die Heise Gruppe von einer Emotet-Infektion betroffen war, erreichen uns immer wieder Rückfragen. Hier die Antworten auf die häufigsten davon. --------------------------------------------- https://heise.de/-4517354 ∗∗∗ SMS von "PostInfo" führt in Abo-Falle ∗∗∗ --------------------------------------------- Zahlreiche HandynutzerInnen erhalten momentan eine SMS von PostInfo. Sie haben angeblich etwas bei einer Verlosung gewonnen. Um den Gewinn einzulösen, müssen sie einem Link folgen. Dieser führt zu einer Umfrage auf einer gefälschten Post-Seite. Achtung: dieses SMS stammt nicht von der Post, sondern von Kriminellen. Sie werden in eine Abo-Falle gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-postinfo-fuehrt-in-abo-falle/ ∗∗∗ Daily Emotet IoCs and Notes for 09/16/19 ∗∗∗ --------------------------------------------- Emotet Malware Document links/IOCs for 09/16/19 as of 09/17/19 02:30 EDTNotes and Credits at the bottom Follow us on twitter @cryptolaemus1 for more updates. --------------------------------------------- https://paste.cryptolaemus.com/emotet/2019/09/16/emotet-malware-IoCs_09-16-… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory contains mitigations for code injection, command injection, stack-based buffer overflow, and improper authorization vulnerabilities in Advantechs WebAccess HMI platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-260-01 ∗∗∗ Honeywell Performance IP Cameras and Performance NVRs ∗∗∗ --------------------------------------------- This advisory includes mitigations for an information exposure vulnerability in the Honeywell Performance IP Cameras and Performance NVRs product. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-260-03 ∗∗∗ HPESBHF03844 rev.3 - HPE Integrated Lights-Out 4, 5 (iLO 4, 5) iLO Moonshot and Moonshot iLO Chassis Manager, Remote or Local Code Execution ∗∗∗ --------------------------------------------- Version:3 (rev.3) - 17 September 2019 added iLO Moonshot and Moonshot iLO Chassis Manager --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03866 rev.3 - HPE Integrated Lights-Out 3,4,5 iLO Moonshot and Moonshot iLO Chassis Manager, using SSH, Remote Execution of Arbitrary Code, Local Disclosure of Sensitive Information ∗∗∗ --------------------------------------------- Version:3 (rev.3) - 17 September 2019 added iLO Moonshot and Moonshot iLO Chassis Manager --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Security update available in Foxit Studio Photo 3.6.6.913 ∗∗∗ --------------------------------------------- Foxit has released Foxit Studio Photo 3.6.6.913, which addresses potential security and stability issues. --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.php ∗∗∗ Kritisches Update für AMD-Grafikkarten löst spezielles Sicherheitsproblem ∗∗∗ --------------------------------------------- Die Kombination von VMware Workstation Pro und AMD-GPUs könnte die Computersicherheit gefährden. --------------------------------------------- https://heise.de/-4533148 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and kernel), Debian (thunderbird), Fedora (curl), openSUSE (curl and python-Werkzeug), Oracle (kernel and thunderbird), Red Hat (rh-nginx114-nginx), SUSE (curl, ibus, MozillaFirefox, firefox-glib2, firefox-gtk3, openldap2, openssl, openssl1, python-urllib3, and util-linux and shadow), and Ubuntu (linux, linux-aws, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-oracle, linux-raspi2, linux-snapdragon, and wpa). --------------------------------------------- https://lwn.net/Articles/799765/ ∗∗∗ WAGO Series PFC100/PCF200 Information Disclosure ∗∗∗ --------------------------------------------- The reported vulnerability allows a remote attacker to check paths and file names that are used in filesystem operations. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-017 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager uses Weak password policy (CVE-2019-4565) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-key-life… ∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2019 – Includes Oracle Jul 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technolo… ∗∗∗ IBM Security Bulletin: Vulnerability in Eclipse Jetty affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ecli… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities have been identified in bundled libraries of IBM Tivoli Netcool/OMNIbus Common Integration Libraries (CVE-2019-12086, CVE-2019-0201) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Foundational Components (CVE-2018-0732, CVE-2018-0734, CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-affects… ∗∗∗ Reflected Cross-Site Scripting (XSS) in Oracle Mojarra JSF ∗∗∗ --------------------------------------------- https://sec-consult.com/en/blog/advisories/reflected-cross-site-scripting-x… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2019
by Daily end-of-shift report 17 Sep '19

17 Sep '19

===================== = End-of-Day report = ===================== Timeframe: Montag 16-09-2019 18:00 − Dienstag 17-09-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet Revived with Large Spam Campaigns Around the World ∗∗∗ --------------------------------------------- Less than a month after reactivating its command and control (C2) servers, the Emotet botnet has come to like by spewing spam messages to countries around the globe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-revived-with-large-sp… ∗∗∗ Misuse of WordPress update_option() function Leads to Website Infections ∗∗∗ --------------------------------------------- In the past four months, Sucuri has seen an increase in the number of plugins affected by the misuse of WordPress’ update_option() function. This function is used to update a named option/value in the options database table. If developers do not implement the permission flow correctly, attackers can gain admin access or inject arbitrary data into any website. Note: The WordPress update_option() function cannot be used maliciously if the developer correctly implements it in their code. --------------------------------------------- https://blog.sucuri.net/2019/09/misuse-of-wordpress-update_option-function-… ∗∗∗ Explaining Server Side Template Injections ∗∗∗ --------------------------------------------- [...] Exploiting SSTI in strange cases will be the next post I make. Any and all feedback is appreciated --------------------------------------------- https://0x00sec.org/t/explaining-server-side-template-injections/16297 ∗∗∗ 2019 CWE Top 25 Most Dangerous Software Errors ∗∗∗ --------------------------------------------- The Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. --------------------------------------------- https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html ∗∗∗ Investigating Gaps in your Windows Event Logs ∗∗∗ --------------------------------------------- I recently TAd the SANS SEC 504 class (Hacker Tools, Techniques, Exploits, and Incident Handling) , and one of the topics we covered was attackers "editing" windows event logs to cover their tracks, especially the Windows Security Event Log. --------------------------------------------- https://isc.sans.edu/forums/diary/Investigating+Gaps+in+your+Windows+Event+… ∗∗∗ Phishing: BAWAG PSK fordert keine Datenbestätigung per E-Mail ∗∗∗ --------------------------------------------- Kriminelle geben sich als BAWAG PSK Bank aus und behaupten, dass Online-Banking-NutzerInnen aufgrund der EU-Zahlungsrichtlinie ihre Daten bestätigen müssen. Angeblich sei auch das Konto gesperrt. Es handelt sich jedoch um einen Vorwand, um an Zugangsdaten zu kommen. Klicken Sie keinesfalls auf den Button, Sie gelangen zu einer gefälschten Login-Seite! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-bawag-psk-fordert-keine-dat… ∗∗∗ MISP 2.4.116 released (aka the new decaying feature) ∗∗∗ --------------------------------------------- A new version of MISP (2.4.116) has been release, including a long awaited major new feature that deals with decaying indicators in addition to a new ATT&CK sightings export and a new sync priority capability. --------------------------------------------- https://www.misp-project.org/2019/09/17/MISP.2.4.116.released.html ∗∗∗ Gootkit malware crew left their database exposed online without a password ∗∗∗ --------------------------------------------- Even cyber-criminal gangs cant secure their MongoDB servers properly. --------------------------------------------- https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-expo… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Atlassian Jira ∗∗∗ --------------------------------------------- Ben Taylor of Cisco ASIG discovered these vulnerabilities.Atlassian’s Jira software contains multiple vulnerabilities that could allow an attacker to carry out a variety of actions, including the disclosure of sensitive information and the remote execution of JavaScript code. Jira is a piece of software that allows users to create, manage and organize tasks and manage projects. These bugs could create a variety of scenarios, including the ability to execute code inside of Jira and [...] --------------------------------------------- https://blog.talosintelligence.com/2019/09/vuln-spotlight-atlassian-jira-se… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dino-im, python2.7, python3.4, and wpa), Fedora (kmplayer), openSUSE (podman and samba), Oracle (thunderbird), Red Hat (thunderbird), Slackware (expat), SUSE (curl), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/799509/ ∗∗∗ SOHOpelessly Broken 2.0: 125 Vulnerabilities Found in Routers, NAS Devices ∗∗∗ --------------------------------------------- Researchers have discovered many vulnerabilities in over a dozen small office/home office (SOHO) routers and network-attached storage (NAS) devices as part of a project dubbed SOHOpelessly Broken 2.0. --------------------------------------------- https://www.securityweek.com/sohopelessly-broken-20-125-vulnerabilities-fou… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Apache HTTPD vulnerability CVE-2019-10098 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K25126370 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily September 2019