Daily March 2020

daily@lists.cert.at

1 participants
22 discussions

Tageszusammenfassung - 17.03.2020
by Daily end-of-shift report 17 Mar '20

17 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 16-03-2020 18:00 − Dienstag 17-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht vor Phishing-Mails zum Thema Corona ∗∗∗ --------------------------------------------- Kriminelle nutzen das Corona-Virus für ihre Betrugsmaschen und versenden Phishings-Mails im Namen von Unternehmen. Aktuell sind uns gefälschte E-Mails, die angeblich von A1 und DHL stammen, bekannt. Seien Sie also bei E-Mails zum Thema Corona sehr vorsichtig und klicken keinesfalls auf einen Link oder loggen sich über einen Button am Ende der E-Mail in Ihr Kundenkonto ein. Laden Sie auch keine Anhänge herunter, es könnte sich um Schadsoftware handeln. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-mails-zum-them… ∗∗∗ Die Shadowserver Foundation braucht dringend finanzielle Hilfe ∗∗∗ --------------------------------------------- Die Shadowserver Foundation ist nicht nur weltweit die größte Quelle von Threat Intelligence, sie ist auch bei weitem die wichtigste Informationsquelle für CERT.at zu Themen wie Malwareinfektionen, verwundbaren Systeme, etc. in Österreich (siehe die Liste der Feeds, die wir von Shadowserver erhalten). Insgesamt versorgt die Shadowserver Foundation 107 nationale CERTs/CSIRTs in 136 Ländern mit wertvollen Informationen über Probleme in ihrem jeweiligen [...] --------------------------------------------- https://cert.at/de/blog/2020/3/die-shadowserver-foundation-braucht-dringend… ∗∗∗ Slack fixes account-stealing bug ∗∗∗ --------------------------------------------- Slack has fixed a bug that allowed attackers to hijack user accounts by tampering with their HTTP sessions. --------------------------------------------- https://nakedsecurity.sophos.com/2020/03/17/slack-fixes-account-stealing-bu… ∗∗∗ A Quick Summary of Current Reflective DNS DDoS Attacks, (Tue, Mar 17th) ∗∗∗ --------------------------------------------- DNS is still a popular protocol to amplify denial of service attacks. A rather small DNS query, sent to an open recursive resolver, can be used to trigger a large response. Over the last few years, DNS servers implemented many countermeasures to make it more difficult to launch these attacks and easier to mitigate them. It also has become easier (but not trivial) to defend against these attacks. But in the end, you still have to "buy your way out" of a denial of service attacks. --------------------------------------------- https://isc.sans.edu/diary/rss/25916 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (okular, thunderbird, and webkit2gtk), Debian (webkit2gtk), Fedora (php-horde-Horde-Form), Gentoo (libvorbis, nss, and proftpd), Oracle (firefox and kernel), Red Hat (kernel), Scientific Linux (firefox), SUSE (cni, cni-plugins, conmon, fuse-overlayfs, podman, librsvg, and ovmf), and Ubuntu (ceph, icu, linux, linux-aws, linux-kvm, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, [...] --------------------------------------------- https://lwn.net/Articles/815202/ ∗∗∗ Intel CPUs vulnerable to new Snoop attack ∗∗∗ --------------------------------------------- Applying the the patches for the Foreshadow (L1TF) attack disclosed in 2018 also blocks Snoop attacks. --------------------------------------------- https://www.zdnet.com/article/intel-cpus-vulnerable-to-new-snoop-attack/ ∗∗∗ Trend Micro Produkte: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0230 ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Liberty affects IBM Operations Analytics Predictive Insights (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the WebSphere Message Broker V8. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker V8. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2020
by Daily end-of-shift report 16 Mar '20

16 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-03-2020 18:00 − Montag 16-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Kritische Lücke: Angreifer könnten aus VMware Fusion und Workstation ausbrechen ∗∗∗ --------------------------------------------- Wer virtuelle Maschinen mit Fusion, Horizon, Remote Console (VMRC) und Workstation betreibt, sollte sich aus Sicherheitsgründen die aktualisierten Versionen herunterladen und installieren. Andernfalls könnten Angreifer im schlimmsten Fall aus einer VM ausbrechen und Schadcode im Host-System ausführen. --------------------------------------------- https://www.heise.de/security/meldung/Kritische-Luecke-Angreifer-koennten-a… ∗∗∗ Saving Shadowserver and Securing the Internet — Why You Should Care & How You Can Help ∗∗∗ --------------------------------------------- Shadowserver has unexpectedly lost the financial support of our largest sponsor. We need to transition the impacted operations staff and move our data center by May 26th 2020. This is an extremely aggressive timeline. We urgently appeal to our constituents and the community to rally together, help save Shadowserver and help secure the Internet. This is the initial announcement and the index page to more detailed supporting content. --------------------------------------------- https://www.shadowserver.org/news/saving-shadowserver-and-securing-the-inte… ∗∗∗ BlackWater Malware Abuses Cloudflare Workers for C2 Communication ∗∗∗ --------------------------------------------- A new backdoor malware called BlackWater pretending to be COVID-19 information while abusing Cloudflare Workers as an interface to the malwares command and control (C2) server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cl… ∗∗∗ MonitorMinor: vicious stalkerware ∗∗∗ --------------------------------------------- The other day, our Android traps ensnared an interesting specimen of stalkerware. On closer inspection, we found that this app outstrips all existing software of its class in terms of functionality. --------------------------------------------- https://securelist.com/monitorminor-vicious-stalkerware/95575/?utm_source=r… ∗∗∗ Phishing PDF With Incremental Updates., (Sat, Mar 14th) ∗∗∗ --------------------------------------------- Someone asked me for help with this phishing PDF. --------------------------------------------- https://isc.sans.edu/diary/rss/25904 ∗∗∗ Desktop.ini as a post-exploitation tool, (Mon, Mar 16th) ∗∗∗ --------------------------------------------- Desktop.ini files have been part of Windows operating systems for a long time. They provide users with the option to customize the appearance of specific folders in File Explorer, such as changing their icons[1]. That is not all they are good for, however. --------------------------------------------- https://isc.sans.edu/diary/rss/25912 ∗∗∗ Open MQTT Report - Expanding the Hunt for Vulnerable IoT devices ∗∗∗ --------------------------------------------- New MQTT IPv4 scans are now carried out daily as part of our efforts to expand our capability to enable the mapping of exposed IoT devices on the Internet. A new report - Open MQTT - is now shared in our free daily victim remediation reports to 107 National CSIRTs and 4600+ network owners. In particular, the report identifies accessible MQTT broker service that enable anonymous access. The work is being carried out as part of the EU CEF VARIoT (Vulnerability and Attack Repository for IoT) --------------------------------------------- https://www.shadowserver.org/news/open-mqtt-report-expanding-the-hunt-for-v… ∗∗∗ Has The Sun Set On The Necurs Botnet? ∗∗∗ --------------------------------------------- Private sector partners Microsoft and Bitsight announced their disruption of the Necurs botnet on March 10th 2020. Shadowserver supported the operation, through the use of our Registrar of Last Resort (RoLR) for helping to deal with the millions of potential DGA C2 domains involved, and by making available our victim remediation reporting channels. In this blog post we provide our take on some of the more interesting aspects of this operation, analyze the sinkholed Necurs victim populations and [...] --------------------------------------------- https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/ ∗∗∗ COVID-19 Themed Phishing Campaigns Continue ∗∗∗ --------------------------------------------- Another COVID-19 (Coronavirus) phishing campaign has been discovered -- this one apparently operated by the Pakistan-based APT36, which is thought to be nation-backed. --------------------------------------------- https://www.securityweek.com/covid-19-themed-phishing-campaigns-continue ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick, qemu, and slurm-llnl), Fedora (ansible, couchdb, mediawiki, and python3-typed_ast), Gentoo (atftp, curl, file, gdb, git, gst-plugins-base, icu, libarchive, libgcrypt, libjpeg-turbo, libssh, libvirt, musl, nfdump, ppp, python, ruby-openid, runc, sqlite, squid, sudo, SVG Salamander, systemd, thunderbird, tiff, and webkit-gtk), Mageia (firefox, kernel, and thunderbird), openSUSE (firefox, librsvg, php7, and tomcat), Red Hat (firefox), [...] --------------------------------------------- https://lwn.net/Articles/815097/ ∗∗∗ Security Bulletin: IBM MQ and IBM MQ Appliance could allow a local attacker to obtain sensitive information. (CVE-2019-4719) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-and-ibm-mq-applian… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an error processing error messages. (CVE-2019-4656) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM Cloud Automation Manager Session Fixation Vulnerability (CVE-2019-4617) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-automation-mana… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services v2.1.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM MQ could allow a local attacker to obtain sensitive information by inclusion of sensitive data within trace. (CVE-2019-4619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-could-allow-a-loca… ∗∗∗ Security Bulletin: IBM TNPM Wireline is vulnerable to Apache Commons Beanutils (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tnpm-wireline-is-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2020
by Daily end-of-shift report 13 Mar '20

13 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-03-2020 18:00 − Freitag 13-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ CovidLock: Mobile Coronavirus Tracking App Coughs Up Ransomware ∗∗∗ --------------------------------------------- The security research team at DomainTools recently observed an uptick in suspicious Coronavirus and COVID-19 domains, leading them to discover CovidLock, a malicious Android App. --------------------------------------------- https://www.domaintools.com/resources/blog/covidlock-mobile-coronavirus-tra… ∗∗∗ mTAN abgefangen: Betrüger räumten Konten in Österreich leer ∗∗∗ --------------------------------------------- Mit SIM-Swapping haben Kriminelle bei Dutzenden Österreichern Geld abgehoben. Nun wurden sie verhaftet. (TAN, Malware) --------------------------------------------- https://www.golem.de/news/mtan-abgefangen-betrueger-raeumten-konten-in-oest… ∗∗∗ Persistent Cross-Site Scripting, the MSSQL Way ∗∗∗ --------------------------------------------- If you save wide Unicode brackets (i.e. ＜＞) into a char or varchar field, MSSQL Server will convert them into HTML brackets (i.e. ). So, ＜img src=x onerror=alert(pxss)＞ will be converted to compliments of the backend DB. This will likely help you sneak past server-side filters, WAFs, etc. and execute a persistent Cross-Site Scripting (PXSS) attack. As a bonus, .NET request validation will not detect it. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/persistent-… ∗∗∗ Tor team warns of Tor Browser bug that runs JavaScript on sites it shouldnt ∗∗∗ --------------------------------------------- Tor team says its working on a fix, but has no timeline. --------------------------------------------- https://www.zdnet.com/article/tor-team-warns-of-tor-browser-bug-that-runs-j… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, golang-golang-x-crypto, kernel, mbedtls, ppp, and python-django), Debian (slirp and yubikey-val), Fedora (firefox, java-1.8.0-openjdk-aarch32, mbedtls, monit, seamonkey, sympa, and zsh), Gentoo (chromium, e2fsprogs, firefox, groovy, postgresql, rabbitmq-c, ruby, and vim), Mageia (ppp), openSUSE (kernel), and SUSE (glibc, kernel, openstack-manila, php5, and squid). --------------------------------------------- https://lwn.net/Articles/814817/ ∗∗∗ Update - Kritische Sicherheitslücke in Microsoft SMBv3 - Patch und Workarounds verfügbar ∗∗∗ --------------------------------------------- 03. März 2020 Update: 13. März 2020 Beschreibung Microsoft hat außerhalb des monatlichen Patch-Zyklus ein Security Advisory mit Workarounds für eine kritische Sicherheitslücke in Microsoft Server Message Block 3.1.1 (SMBv3) veröffentlicht. CVE-Nummern: CVE-2020-0796 CVSS Base Score: 10.0 (laut CERT/CC) Update: 13. März 2020 Microsoft gibt unter https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020… ebenfalls einen CVSS Base Score --------------------------------------------- https://cert.at/de/warnungen/2020/3/kritische-sicherheitslucke-in-microsoft… ∗∗∗ Security Bulletin: PowerVC is impacted by information leakage from nova APIs during external exception (CVE-2019-14433) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powervc-is-impacted-by-in… ∗∗∗ Security Bulletin: CVE-2020-2654 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-2654-may-affect-… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a 3RD PARTY Path Traversal vulnerability in the Administrative Console in IBM WebSphere Application Server (WAS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a cross-site scripting vulnerability in WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Spectrum Protect Snapshot for VMware (CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: A vulnerability in Python affects IBM Operations Analytics Predictive Insights (CVE-2019-18348) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-python… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a File traversal vulnerability in WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a Information disclosure vulnerability in WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for ACH Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ VMSA-2020-0004 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0004.html ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0228 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2020
by Daily end-of-shift report 12 Mar '20

12 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-03-2020 18:00 − Donnerstag 12-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Prenotification Security Advisory for Adobe Acrobat and Reader ∗∗∗ --------------------------------------------- Adobe is planning to release security updates for Adobe Acrobat and Reader for Windows and macOS on Tuesday, March 17, 2020. --------------------------------------------- https://helpx.adobe.com/security/products/acrobat/apsb20-13.html ∗∗∗ Live Coronavirus Map Used to Spread Malware ∗∗∗ --------------------------------------------- Cybercriminals constantly latch on to news items that captivate the publics attention, but usually they do so by sensationalizing the topic or spreading misinformation about it. Recently, however, cybercrooks have started disseminating real-time, accurate information about global infection rates tied to the Coronavirus/COVID-19 pandemic in a bid to infect computers with malicious software. --------------------------------------------- https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-mal… ===================== = Vulnerabilities = ===================== ∗∗∗ Achtung: Sicherheitspatch gegen kritische SMBv3-Lücke jetzt verfügbar ∗∗∗ --------------------------------------------- Gegen die kritische Windows-Sicherheitslücke CVE-2020-0796 gibt es jetzt einen Patch von Microsoft. Admins sollten ihre Systeme möglichst sofort akualisieren.. --------------------------------------------- https://heise.de/-4681993 ∗∗∗ Flaws Riddle Zyxel’s Network Management Software ∗∗∗ --------------------------------------------- Over 16 security flaws, including multiple backdoors and hardcoded SSH server keys, plague the software. --------------------------------------------- https://threatpost.com/flaws-zyxels-network-management-software/153554/ ∗∗∗ Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites ∗∗∗ --------------------------------------------- On March 4th, our Threat Intelligence team discovered several vulnerabilities in Popup Builder, a WordPress plugin installed on over 100,000 sites. One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded. .. We highly recommend updating to the latest version, 3.64.1, immediately. --------------------------------------------- https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-popup-bui… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (dojo, firefox-esr, sleuthkit, and wpa), Fedora (cacti, cacti-spine, and python-psutil), Oracle (kernel), Red Hat (kernel), Scientific Linux (kernel), SUSE (ardana-ansible, ardana-cinder, ardana-cobbler, ardana-db, ardana-horizon, ardana-input-model, ardana-monasca, ardana-mq, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, ardana-tls, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, ...), Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/814652/ ∗∗∗ ABB eSOMS ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-072-01 ∗∗∗ ABB Asset Suite ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-072-02 ∗∗∗ Rockwell Automation Allen-Bradley Stratix 5950 ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-072-03 ∗∗∗ XSS vulnerability in the FortiManager via the buffer parameter ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-271 ∗∗∗ Information disclosure through diagnose debug commands in FortiWeb ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-269 ∗∗∗ XSS Vulnerability in Disclaimer Description of a Replacement Message in FortiWeb ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-20-001 ∗∗∗ Unquoted Service Path exploit in FortiClient ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-281 ∗∗∗ Authorizations Bypass in the FortiPresence portal parameters ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-258 ∗∗∗ XSS vulnerability in the URL Description of URL filter ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-270 ∗∗∗ XSS vulnerability in the Anomaly Detection Parameter Name ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-265 ∗∗∗ FortiSIEM is vulnerable to a CSRF attack ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/ FG-IR-19-240 ∗∗∗ Security Advisory - Out of Bounds Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Advisory - Improper Integrity Checking Vulnerability on some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200311-… ∗∗∗ Security Bulletin: Vulnerability from Apache HttpClient affects IBM Cloud Pak System (CVE-2012-5783) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterpise v11. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in HTTP/2 implementation used by Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An information disclosure security vulnerability has been identified with the embedded Content Navigator component shipped with IBM Business Automation Workflow (CVE-2019-4679) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-information-disclosure… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2020
by Daily end-of-shift report 11 Mar '20

11 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-03-2020 18:00 − Mittwoch 11-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ LVI Attacks: New Intel CPUs Vulnerability Puts Data Centers At Risk ∗∗∗ --------------------------------------------- Tracked as CVE-2020-0551, dubbed "Load Value Injection in the Line Fill Buffers" or LVI-LFB for short, the new speculative-execution attack could let a less privileged attacker steal sensitive information—encryption keys or passwords—from the protected memory and subsequently, take significant control over a targeted system. --------------------------------------------- https://thehackernews.com/2020/03/intel-load-value-injection.html ∗∗∗ Forthcoming OpenSSL release ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1e. This release will be made available on Tuesday 17th March 2020 between 1300-1700 UTC. This will contain one LOW severity fix for CVE-2019-1551 --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2020-March/000166.html ∗∗∗ A new and advanced Rowhammer-based attack on DDR4 memory ∗∗∗ --------------------------------------------- A new and advanced Rowhammer-based attack on DDR4 memory was announced on March 10, 2020. (CVE-2020-10255) The attack has been shown to cause memory corruption in lab environments. --------------------------------------------- https://www.ibm.com/blogs/psirt/a-new-and-advanced-rowhammer-based-attack-o… ∗∗∗ Klicken Sie keine Links und Anhänge in E-Mails an! ∗∗∗ --------------------------------------------- „Ihr PayPal-Konto wurde eingeschränkt! … Öffnen Sie die Anhangsdatei, um Ihre Einschränkung aufzuheben!“ Diese Nachricht landet derzeit in zahlreichen E-Mail-Postfächern. Die Datei im Anhang enthält Schadsoftware, die Links führen auf Phishing-Seiten mit denen Zugangsdaten ausspioniert werden sollen. Schützen kann man sich nur, indem man nichts anklickt, sondern sich auf anderen Wegen informiert, ob die E-Mail echt sein kann. --------------------------------------------- https://www.watchlist-internet.at/news/klicken-sie-keine-links-und-anhaenge… ∗∗∗ Microsoft orchestrates coordinated takedown of Necurs botnet ∗∗∗ --------------------------------------------- Microsoft and partners in 35 countries move to bring down Necurs, todays largest malware botnet. --------------------------------------------- https://www.zdnet.com/article/microsoft-orchestrates-coordinated-takedown-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Microsoft SMBv3 - Workarounds verfügbar ∗∗∗ --------------------------------------------- Microsoft hat außerhalb des monatlichen Patch-Zyklus ein Security Advisory mit Workarounds für eine kritische Sicherheitslücke in Microsoft Server Message Block 3.1.1 (SMBv3) veröffentlicht. ... Die Lücke kann über das Netzwerk ausgenützt werden und ermöglicht die Ausführung von beliebigen Befehlen mit SYSTEM Rechten. --------------------------------------------- https://cert.at/de/warnungen/2020/3/kritische-sicherheitslucke-in-microsoft… ∗∗∗ IPAS: Security Advisories for March 2020 ∗∗∗ --------------------------------------------- Hi everyone, It’s the second Tuesday in March 2020 and today we released 9 security advisories. For full details on these advisories, please visit the Intel Security Center. --------------------------------------------- https://blogs.intel.com/technology/2020/03/ipas-security-advisories-for-mar… ∗∗∗ SAML Service Provider - Critical - Access bypass - SA-CONTRIB-2020-006 ∗∗∗ --------------------------------------------- This module enables you to authenticate Drupal users using an external SAML Identity Provider. If the site is configured to allow visitors to register for user accounts but administrator approval is required, the module doesnt sufficiently enforce the administrative approval requirement, in the case where the requesting user has already authenticated through SAML. --------------------------------------------- https://www.drupal.org/sa-contrib-2020-006 ∗∗∗ Microsoft Patch Tuesday — March 2020: Vulnerability disclosures and Snort coverage ∗∗∗ --------------------------------------------- Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This months Patch Tuesday covers 117 vulnerabilities, 25 of which are considered critical. There is also one moderate vulnerability and 91 that are considered important. --------------------------------------------- https://blog.talosintelligence.com/2020/03/microsoft-patch-tuesday-march-20… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (qemu-kvm and sudo), Debian (chromium), Mageia (gpac, libseccomp, and tomcat), openSUSE (gd and postgresql10), Oracle (qemu-kvm), Red Hat (chromium-browser), Scientific Linux (qemu-kvm), Slackware (firefox), and SUSE (ipmitool, java-1_7_0-openjdk, librsvg, and tomcat). --------------------------------------------- https://lwn.net/Articles/814574/ ∗∗∗ Synology-SA-20:03 Kr00k ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain sensitive information via a susceptible version of Synology Router Manager (SRM) that is equipped with Broadcom BCM43460. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_03 ∗∗∗ MISP 2.4.123 released (aka the dashboard and security fix release) ∗∗∗ --------------------------------------------- A new version of MISP (2.4.123) has been released. This version includes various security related fixed, and a new Dashboard system. --------------------------------------------- https://www.misp-project.org/2020/03/10/MISP.2.4.123.released.html ∗∗∗ Credential Disclosure in WatchGuard Fireware AD Helper Component ∗∗∗ --------------------------------------------- RedTeam Pentesting discovered a credential-disclosure vulnerability in the AD Helper component of the WatchGuard Fireware Threat Detection and Response (TDR) service, which allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2020-001/ ∗∗∗ Johnson Controls Kantech EntraPass ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-070-04 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-070-05 ∗∗∗ Rockwell Automation MicroLogix Controllers and RSLogix 500 Software ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-070-06 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Huawei Smartphone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-202003116… ∗∗∗ Security Bulletin: IBM InfoSphere Governance Catalog is affected by a cross-site scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-governance… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. (August 2019 CPU) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities in IBM Java SDK affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Linux kernel vulnerability CVE-2019-19072 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42438635 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2020
by Daily end-of-shift report 10 Mar '20

10 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Montag 09-03-2020 18:00 − Dienstag 10-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft Exchange Server Flaw Exploited in APT Attacks ∗∗∗ --------------------------------------------- The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server, and was fixed as part of Microsoft’s February Patch Tuesday updates. However, researchers in a Friday advisory said that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors. --------------------------------------------- https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-atta… ∗∗∗ Variant of Paradise Ransomware Targets Office IQY Files ∗∗∗ --------------------------------------------- A new variant of the Paradise ransomware attacks rarely-targeted Microsoft Office Excel IQY files, providing a new and relatively inobtrusive way to infiltrate and hijack an organization’s network, researchers have found. --------------------------------------------- https://threatpost.com/variant-of-paradise-ransomware-targets-office-iqy-fi… ∗∗∗ How poor IoT security is allowing this 12-year-old malware to make a comeback ∗∗∗ --------------------------------------------- Conficker peaked in 2009, but unsupported connected devices are allowing it to spread in 2020 - and the healthcare sector is where its infected the most targets. --------------------------------------------- https://www.zdnet.com/article/how-poor-iot-security-is-allowing-this-ten-ye… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libvpx and network-manager-ssh), Fedora (cacti, cacti-spine, and podman), openSUSE (chromium and python-bleach), Oracle (curl), Red Hat (ansible and qemu-kvm), SUSE (gd, ipmitool, and php7), and Ubuntu (runc and sqlite3). --------------------------------------------- https://lwn.net/Articles/814493/ ∗∗∗ MISP: Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MISP ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0206 ∗∗∗ SAP Security Patch Day – March 2020 ∗∗∗ --------------------------------------------- On 10th of March 2020, SAP Security Patch Day saw the release of 16 Security Notes. There are 2 updates to previously released Patch Day Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=540935305 *** Joomla Security Updates (Severity: low) *** --------------------------------------------- ∗ [20200306] - Core - SQL injection in Featured Articles menu parameters https://developer.joomla.org/security-centre/807-20200306-core-sql-injectio… ∗ [20200304] - Core - Identifier collisions in com_users https://developer.joomla.org/security-centre/805-20200304-core-identifier-c… ∗ [20200305] - Core - Incorrect Access Control in com_fields SQL field https://developer.joomla.org/security-centre/806-20200305-core-incorrect-ac… ∗ [20200303] - Core - Incorrect Access Control in com_templates https://developer.joomla.org/security-centre/804-20200303-core-incorrect-ac… ∗ [20200302] - Core - XSS in Protostar and Beez3 https://developer.joomla.org/security-centre/803-20200302-core-xss-in-proto… ∗ [20200301] - Core - CSRF in com_templates image actions https://developer.joomla.org/security-centre/802-20200301-core-csrf-in-com-… ∗∗∗ TYPO3-EXT-SA-2020-003: Multiple vulnerabilities in extension "Magalone Flipbook for TYPO3" (magaloneflipbook) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-003 ∗∗∗ TYPO3-EXT-SA-2020-002: Remote Code Execution in extension "PHPUnit" (phpunit) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-002 ∗∗∗ TYPO3-EXT-SA-2020-001: SQL Injection in extension "phpmyadmin" (phpmyadmin) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2020-001 ∗∗∗ SSA-938930: Cross-Site Scripting Vulnerability in Spectrum Power™ 5 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-938930.txt ∗∗∗ SSA-508982: Denial-of-Service Vulnerability in SIMATIC S7-300 CPUs and SINUMERIK ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-508982.txt ∗∗∗ SSA-844761: Multiple Vulnerabilities in CCS, FTP and Streaming Services of SiNVR Video Management Solution ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-844761.txt ∗∗∗ Security Bulletin: Vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dcnm-net… ∗∗∗ Security Bulletin: Vulnerability in DCNM Network Management Software used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-dcnm-net… ∗∗∗ Security Bulletin: An information disclosure vulnerability has been identified with the embedded Content Platform Engine component shipped with IBM Business Automation Workflow (CVE-2019-4572) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-information-disclosure… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2019 – Includes Oracle Oct 2019 CPU minus CVE-2019-2949 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM Workload scheduler 9.3 vulnerable to CVE-2019-4608 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-workload-scheduler-9-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2020
by Daily end-of-shift report 09 Mar '20

09 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-03-2020 18:00 − Montag 09-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Data-Stealing FormBook Malware Preys on Coronavirus Fears ∗∗∗ --------------------------------------------- Another email campaign pretending to be Coronavirus (COVID-19) information from the World Health Organization (WHO) is distributing a malware downloader that installs the FormBook information-stealing Trojan. --------------------------------------------- https://www.bleepingcomputer.com/news/security/data-stealing-formbook-malwa… ∗∗∗ Neue CPU-Sicherheitslücke in AMD-Prozessoren laut AMD gar nicht neu ∗∗∗ --------------------------------------------- Sicherheitsforscher haben laut eigenen Angaben neue Sicherheitslücken in AMDs Prozessoren gefunden – unter anderem Ryzen und Epyc sollen betroffen sein. --------------------------------------------- https://heise.de/-4678823 ∗∗∗ Inkassoschreiben über 516,24 Euro müssen nicht bezahlt werden ∗∗∗ --------------------------------------------- Aktuell werden vermehrt Mahnungen und Zahlungsaufforderungen von angeblichen Inkassobüros für Abos bei Streamingdiensten ausgesendet. Die gute Nachricht: Zahlen Sie nicht! Die schlechte Nachricht: Es wird nicht die letzte Zahlungsaufforderung gewesen sein. --------------------------------------------- https://www.watchlist-internet.at/news/inkassoschreiben-ueber-51624-euro-mu… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Authenticator: 2FA-Codes lassen sich einfach abgreifen ∗∗∗ --------------------------------------------- Google Authenticator, Microsoft Authenticator und etliche andere Apps zur Zwei-Faktor-Authentifizierung haben keinen Schutz vor Screenshots eingerichtet. Eine Schadsoftware soll dies bereits ausnutzen. --------------------------------------------- https://www.golem.de/news/google-authenticator-2fa-codes-lassen-sich-einfac… ∗∗∗ Talos Vulnerability Spotlight: WAGO products contain remote code execution, other vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in multiple products from the company WAGO. WAGO produces a line of automation software called “e!COCKPIT,” an integrated development environment that aims to speed up automation tasks and machine and system startup. --------------------------------------------- https://blog.talosintelligence.com/2020/03/wago-vulnerability-spotlight-mar… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (seamonkey), Mageia (apache-mod_auth_openidc, binutils, chromium-browser-stable, dojo, firejail, gcc, glib2.0, glibc, http-parser, ilmbase, libarchive, libgd, libsolv, mbedtls, pcre, pdfresurrect, php, proftpd, pure-ftpd, python-bleach, ruby-rake, transfig, weechat, and xen), openSUSE (chromium, ovmf, python-bleach, and yast2-rmt), Oracle (curl, http-parser, kernel, sudo, and xerces-c), Red Hat (chromium-browser and kernel-alt) [...] --------------------------------------------- https://lwn.net/Articles/814371/ ∗∗∗ Security Bulletin: Stack is displayed in WebSphere Application Server (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-stack-is-displayed-in-web… ∗∗∗ Security Bulletin: Vulnerability in Node.js affects IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable to Apache Commons Beanutils in WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-atlas-ediscovery-process-… ∗∗∗ Security Bulletin: Cookie created without secure flag WAS Liberty (CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cookie-created-without-se… ∗∗∗ Security Bulletin: 3RD PARTY Stored Cross-Site Scripting in Tivoli Application Dependency Discovery Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-3rd-party-stored-cross-si… ∗∗∗ Security Bulletin: Bypass security restrictions in WAS Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bypass-security-restricti… ∗∗∗ Security Bulletin: [All] Python (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-all-python-publicly-discl… ∗∗∗ Security Bulletin: Apache CXF (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-cxf-publicly-discl… ∗∗∗ Security Bulletin: Python vulnerability in IBM Tivoli Application Dependency Discovery Manager (CVE-2019-16935) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-vulnerability-in-i… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozzila Firefox (less than Firefox 68.4 ESR) have affected Synthetic Playback Agent 8.1.4.0 – 8.1.4 IF10 + ICAM 3.0 – 4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an attacker can cause a denial of service (CVE-2020-4217) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method ( CVE-2019-14907) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Apache Tomcat vulnerability CVE-2020-1935 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43709560 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2020
by Daily end-of-shift report 06 Mar '20

06 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-03-2020 18:00 − Freitag 06-03-2020 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ PwndLocker Ransomware Gets Pwned: Decryption Now Available ∗∗∗ --------------------------------------------- Emsisoft has discovered a way to decrypt files encrypted by the new PwndLocker Ransomware so that victims can recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-p… ∗∗∗ Emotet Actively Using Upgraded WiFi Spreader to Infect Victims ∗∗∗ --------------------------------------------- Emotets authors have upgraded the malwares Wi-Fi spreader by making it a fully-fledged module and adding new functionality as shown by multiple samples that were recently delivered to infected devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-actively-using-upgrad… ∗∗∗ Security: Das Intel-ME-Chaos kommt ∗∗∗ --------------------------------------------- Bis zum Chaos sei es nur eine Frage der Zeit, schreiben die ME-Hacker. Intel versucht, das zu verschweigen, und kann das Security-Theater eigentlich auch gleich sein lassen. --------------------------------------------- https://www.golem.de/news/security-das-intel-me-chaos-kommt-2003-147099-rss… ∗∗∗ Lets Encrypt: OK, maybe nuking three million HTTPS certs at once was a tad ambitious. Lets take time out ∗∗∗ --------------------------------------------- Lets Encrypt has halted its plans to cancel all three million flawed web security certificates – after fearing the super-revocation may effectively break a chunk of the internet for netizens. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/05/lets_enc… ∗∗∗ NCSC Releases Advisory on Securing Internet-Connected Cameras ∗∗∗ --------------------------------------------- The United Kingdom (UK) National Cyber Security Centre (NCSC) has released an advisory on securing internet-connected cameras such as smart security cameras and baby monitors. An attacker could gain access to unsecured, or poorly secured, internet-connected cameras to obtain live feeds or images.The following steps can help consumers secure their devices. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/03/05/ncsc-releases-advi… ∗∗∗ A Safe Excel Sheet Not So Safe ∗∗∗ --------------------------------------------- I discovered a nice sample yesterday. This excel sheet was found in a mail flagged as “suspicious” by a security appliance. The recipient asked to release the mail from the quarantine because “it was sent from a known contact”. Before releasing such a mail from the quarantine, the process in place is to have a quick look at the file to ensure that it is safe to be released. --------------------------------------------- https://isc.sans.edu/forums/diary/A+Safe+Excel+Sheet+Not+So+Safe/25868/ ===================== = Vulnerabilities = ===================== ∗∗∗ WAGO I/O-CHECK ∗∗∗ --------------------------------------------- This advisory contains mitigations for information exposure through sent data, buffer access with incorrect length value, missing authentication for critical function, and classic buffer overflow vulnerabilities in the WAGO I/O CHECK software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-065-01 ∗∗∗ Critical Zoho Zero-Day Flaw Disclosed ∗∗∗ --------------------------------------------- A Zoho zero day vulnerability and proof of concept (PoC) exploit code was disclosed on Twitter. --------------------------------------------- https://threatpost.com/critical-zoho-zero-day-flaw-disclosed/153484/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, opensc, opensmtpd, and weechat), Debian (jackson-databind and pdfresurrect), Fedora (sudo), openSUSE (openfortivpn and squid), Red Hat (virt:8.1 and virt-devel:8.1), Scientific Linux (http-parser and xerces-c), and SUSE (gd, kernel, postgresql10, and tomcat). --------------------------------------------- https://lwn.net/Articles/814035/ ∗∗∗ Synology-SA-20:02 ppp ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of DiskStation Manager (DSM) or Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_20_02 ∗∗∗ Security Bulletin: Rational Integration Tester HTTP/TCP Proxy component in Rational Test Virtualization Server and Rational Test Workbench affected by Netty vulnerabilities (CVE-2020-7238, CVE-2019-16869, CVE-2019-20445, CVE-2019-20444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-integration-test… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2019 – Includes Oracle Oct 2019 CPU minus CVE-2019-2949 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in Curl used in OS image for RedHat Enterprise Linux for Cloud Pak System (CVE-2018-16842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-curl-use… ∗∗∗ Multiple Vulnerabilities Patched in RegistrationMagic Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2020/03/multiple-vulnerabilities-patched-in-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2020
by Daily end-of-shift report 05 Mar '20

05 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-03-2020 18:00 − Donnerstag 05-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung (Software Entwickler für Open-Source Projekt, Teil-/Vollzeit) ∗∗∗ --------------------------------------------- Für unser international renommiertes Open-Source Projekt IntelMQ suchen wir eine/n Software Entwickler/in (Teil- oder Vollzeit 25-38,5 Stunden) zum ehestmöglichen Einstieg. Dienstort ist Wien. Details finden sich wie immer auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2020/3/in-eigener-sache-certat-sucht-verstarkung-so… ∗∗∗ Jackpotting malware ∗∗∗ --------------------------------------------- Introduction Jackpotting malware is not well known because it exclusively targets automated teller machines (ATMs). ... In this article, we will examine two of the most widely known types of jackpotting malware, Ploutus and Cutlet Maker. We will also look at the operation of jackpotting malware and provide recommendations on how banks can protect against it. --------------------------------------------- https://resources.infosecinstitute.com/jackpotting-malware/ ∗∗∗ Mokes and Buerak distributed under the guise of security certificates ∗∗∗ --------------------------------------------- We recently discovered a new approach to the well-known distributing malware technique: visitors to infected sites were informed that some kind of security certificate had expired. --------------------------------------------- https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-secu… ∗∗∗ Guildma – innovativer Bankentrojaner aus Lateinamerika ∗∗∗ --------------------------------------------- Ein in Brasilien weitverbreiteter Bankentrojaner treibt sein Unwesen. Wir haben die Guildma-Malware analysiert und sind dabei auf einige interessante Fakten gestoßen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2020/03/05/guildma-bankentrojaner-la… ∗∗∗ Malicious Chrome extension caught stealing Ledger wallet recovery seeds ∗∗∗ --------------------------------------------- A Chrome extension named Ledger Live was exposed today as malicious. It is currently heavily promoted via Google search ads. --------------------------------------------- https://www.zdnet.com/article/malicious-chrome-extension-caught-stealing-le… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#782301: pppd vulnerable to buffer overflow due to a flaw in EAP packet processing ∗∗∗ --------------------------------------------- Due to a flaw in the Extensible Authentication Protocol (EAP) packet processing in the Point-to-Point Protocol Daemon (pppd), an unauthenticated remote attacker may be able to cause a stack buffer overflow, which may allow arbitrary code execution on the target system. --------------------------------------------- https://kb.cert.org/vuls/id/782301 ∗∗∗ SVG Formatter - Critical - Cross site scripting - SA-CONTRIB-2020-005 ∗∗∗ --------------------------------------------- Project: SVG Formatter Security risk: Critical This security release fixes third-party dependencies included in or required by SVG Formatter. XSS bypass using entities and tab.This vulnerability is mitigated by the fact that an attacker must be able to upload SVG files. --------------------------------------------- https://www.drupal.org/sa-contrib-2020-005 ∗∗∗ Cisco Email Security Appliance Uncontrolled Resource Exhaustion Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the malware detection functionality in Cisco Advanced Malware Protection (AMP) in Cisco AsyncOS Software for Cisco Email Security Appliances (ESAs) could allow an unauthenticated remote attacker to exhaust resources on an affected device. The vulnerability is due to insufficient control over system memory allocation. An attacker could exploit this vulnerability by sending a crafted email through the targeted device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Sicherheitslücken: Angreifer könnten WLAN-Router von Netgear übernehmen ∗∗∗ --------------------------------------------- Wer einen WLAN-Router von Netgear besitzt, sollte das Gerät zügig aktualisieren. Eine Sicherheitslücke gilt als kritisch. --------------------------------------------- https://heise.de/-4676824 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (http-parser and xerces-c), Debian (tomcat7), Fedora (opensmtpd), openSUSE (openfortivpn and permissions), Red Hat (http-parser, openstack-octavia, python-waitress, and sudo), Slackware (ppp), and SUSE (kernel). --------------------------------------------- https://lwn.net/Articles/813888/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: API Connect is impacted by multiple vulnerabilities in Oracle MySQL. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-impacted-b… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server affects IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: WAS Liberty vunerabilities affect IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-was-liberty-vunerabilitie… ∗∗∗ Security Bulletin: API Connect's Developer Portal is impacted by vulnerabilities in PHP ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connects-developer-po… ∗∗∗ Security Bulletin: WAS Liberty vunerabilities affect IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-was-liberty-vunerabilitie… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2020
by Daily end-of-shift report 04 Mar '20

04 Mar '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-03-2020 18:00 − Mittwoch 04-03-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Achtung: Lets Encrypt macht Mittwochnacht 3 Millionen Zertifikate ungültig ∗∗∗ --------------------------------------------- Webadmins aufgepasst: Wer jetzt seine Lets-Encrypt-Zertifikate nicht erneuert, könnte Donnerstag früh verunsicherte Nutzer auf der Matte stehen haben. --------------------------------------------- https://heise.de/-4676017 ∗∗∗ Ransomware Attackers Use Your Cloud Backups Against You ∗∗∗ --------------------------------------------- Backups are one the most, if not the most, important defense against ransomware, but if not configured properly, attackers will use it against you. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-you… ∗∗∗ ACSC Releases Securing Content Management Systems Guide ∗∗∗ --------------------------------------------- The Australian Cyber Security Centre (ACSC) has released a cybersecurity guide outlining strategies for identifying and minimizing risks to web servers from installed content management systems (CMS). --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/03/04/acsc-releases-secu… ∗∗∗ A Zero-Day Homograph Domain Name Attack ∗∗∗ --------------------------------------------- What started as almost casual research in November 2019 and disclosed to various vendors as a vulnerability in November and December 2019 and January 2020 was abruptly reclassified and treated as a zero-day vulnerability on February 13, 2020. --------------------------------------------- https://www.securityweek.com/zero-day-homograph-domain-name-attack ∗∗∗ Academics find 30 file upload vulnerabilities in 23 web apps, CMSes, and forums ∗∗∗ --------------------------------------------- Impacted projects include WordPress, Concrete5, Composr, SilverStripe, ZenCart, and others. --------------------------------------------- https://www.zdnet.com/article/academics-find-30-file-upload-vulnerabilities… ∗∗∗ Voice assistants can be hacked with ultrasonic waves ∗∗∗ --------------------------------------------- With access to text messages and the ability to make fraudulent phone calls, attackers could wreak more damage than youd think --------------------------------------------- https://www.welivesecurity.com/2020/03/04/voice-assistants-hacked-ultrasoni… ===================== = Vulnerabilities = ===================== ∗∗∗ Emerson ValveLink ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper access control vulnerability in Emersons ValveLink digital valve controllers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-063-01 ∗∗∗ PHOENIX CONTACT Emalytics Controller ILC ∗∗∗ --------------------------------------------- This advisory contains mitigations for an incorrect permission assignment for critical resource vulnerability in Phoenix Contacts Emalytics Controller modular inline devices. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-063-02 ∗∗∗ Omron PLC CJ Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an uncontrolled resource consumption vulnerability in Omrons PLC CJ Series programmable logic controllers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-063-03 ∗∗∗ Moxa AWK-3131A Series Industrial AP/Bridge/Client ∗∗∗ --------------------------------------------- This advisory contains mitigations for several vulnerabilities in Moxas AWK-3131A wireless networking appliance. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-063-04 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libzypp), Fedora (opensmtpd and thunderbird), openSUSE (nodejs8), Red Hat (http-parser, kpatch-patch, and xerces-c), SUSE (cloud-init, compat-openssl098, kernel, postgresql96, python, and yast2-rmt), and Ubuntu (python-django and rake). --------------------------------------------- https://lwn.net/Articles/813797/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ Security Bulletin: WebSphere Liberty susceptible to HTTP2 implementation vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-liberty-suscept… ∗∗∗ Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by a vulnerability in libssh2 (CVE-2016-0787) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (February 2020v3) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Beanutils library affect IBM Cúram Social Program Management (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: A security vulnerability has been addressed in IBM Security Privileged Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in OpenSSL (CVE-2012-4929) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management… ∗∗∗ Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by a vulnerability with the IPv6 networking support (CVE-2015-2922) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management… ∗∗∗ Security Bulletin: IBM Security Privileged Identity Manager is affected by a security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-privileged-i… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2019 – Includes Oracle Oct 2019 CPU minus CVE-2019-2949 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ HPESBHF03987 rev.1 - HPE OneView Global Dashboard (OVGD), Remote Information Disclosure ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Red Hat OpenShift Container Platform: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0189 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily March 2020