- Daily - CERT.at

Tageszusammenfassung - Dienstag 29-04-2014
by Daily end-of-shift report 29 Apr '14

29 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 28-04-2014 18:00 − Dienstag 29-04-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Update for Vulnerabilities in Adobe Flash Player in Internet Explorer - Version: 23.0 *** --------------------------------------------- https://technet.microsoft.com/en-us/library/security/2755801 *** Ubuntu 14.04 lockscreen bypass, (Mon, Apr 28th) *** --------------------------------------------- Upgraded to Ubuntu 14.04? Hold down enter to bypass the lockscreen (what is old is new again): https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 …" The reporter indicates that he was running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if holding ENTER, after some seconds the screen freezes and the lock screen .. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18039 *** Cisco ASA DHCPv6 Denial of Service Vulnerability *** --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Researchers warn of resurgent Sefnit malware *** --------------------------------------------- Botnet returns using new tactics A malware infection which drew headlines January has returned and is using new techniques to infect and spread amongst users. --------------------------------------------- www.theregister.co.uk/2014/04/29/researchers_warn_of_resurgent_sefnit_malwa… *** Citrix NetScaler Application Delivery Controller and NetScaler Gateway Multiple Security Updates *** --------------------------------------------- A number of security vulnerabilities have been identified in the management component of the Citrix NetScaler Application Delivery Controller .. --------------------------------------------- http://support.citrix.com/article/CTX140651 *** Massenhack bei AOL: Millionen Nutzer betroffen *** --------------------------------------------- Unbekannte verschaffen sich Zugang zu privaten Informationen - Unternehmen fordert zum ändern des Passworts auf --------------------------------------------- http://derstandard.at/1397521927406 *** The FireEye Advanced Threat Report 2013: European Edition *** --------------------------------------------- We recently published the 2013 FireEye Advanced Threat Report during RSA Conference, providing a global overview of the advanced attacks that FireEye discovered last year. We are now drilling that global analysis down into the European threat .. --------------------------------------------- http://www.fireeye.com/blog/corporate/2014/04/the-fireeye-advanced-threat-r… *** Cybercriminals Take Advantage Of Heartbleed With Spam *** --------------------------------------------- Since news about Heartbleed broke out earlier this month, the Internet has been full of updates, opinions and details about the vulnerability, with personalities ranging from security experts to celebrities talking about it. Being as opportunistic as they are, cybercriminals have taken notice of this and .. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/RKpGQ6-RSA8/ *** Q1 2014 Mobile Threat Report *** --------------------------------------------- Our Mobile Threat Report for Q1 2014 is out! Heres a couple of the things we cover in it:The vast majority of the new threats found was on Android (no surprise there), which accounted for 275 out of 277 new families we saw in this period, leaving 1 new malware apiece on iOS and Symbian.In Q1, .. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002699.html *** 6 free network vulnerability scanners *** --------------------------------------------- Vulnerability scanners can help you automate security auditing and can play a crucial role in your IT security. They can scan your network and websites for up to thousands of different security risks, produce a prioritized list of those you should patch, describe the vulnerabilities, and give steps on how to remediate them. Some can even automate the patching process. While these tools can .. --------------------------------------------- http://www.csoonline.com/article/2148841/data-protection/6-free-network-vul… *** Hashcat-Utils v1.0 Released *** --------------------------------------------- Hashcat-utils are a set of small utilities that are useful in advanced password cracking. They all are packed into multiple stand-alone binaries. All of these utils are designed to execute only one specific function. Since they all work with STDIN and STDOUT you can group them into chains. The programs are available for Linux and Windows on both 32 bit and 64 bit architectures. The programs are also available as open source. --------------------------------------------- http://www.toolswatch.org/2014/04/hashcat-utils-v1-0-released/

1 0

Tageszusammenfassung - Montag 28-04-2014
by Daily end-of-shift report 28 Apr '14

28 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 25-04-2014 18:00 − Montag 28-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Using Facebook Notes to DDoS any website *** --------------------------------------------- Facebook Notes allows users to include tags. Whenever a tag is used, Facebook crawls the image from the external server and caches it. Facebook will only cache the image once however using random get parameters the cache can be by-passed and the feature can be abused to cause a huge HTTP GET flood. --------------------------------------------- http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/ *** Mozilla entschlackt Zertifkats-Überprüfung *** --------------------------------------------- Statt 81.865 sind jetzt nur noch 4167 Zeilen Code zum überprüfen von SSL-Zertifikaten nötig. Wer Sicherheitslücken in darin findet, erhält einen üppigen Finderlohn. --------------------------------------------- http://www.heise.de/security/meldung/Mozilla-entschlackt-Zertifkats-Ueberpr… *** Examining the Heartbleed-based FUD thats pitched to the public *** --------------------------------------------- The Heartbleed vulnerability has created a massive news cycle, and generated technical risk-based discussions that might actually do some good. But some of these discussions boggle the mind, spreading misinformation in order to generate clicks or sales.When security issues hit the mass media, such as Heartbleed, there is a good deal of Fear, Uncertainty, and Doubt - better known as FUD - that gets promoted on the airwaves and in print. --------------------------------------------- http://www.csoonline.com/article/2148461/application-security/examining-the… *** Sicherheitslücke bei Messaging-App Viber aufgedeckt *** --------------------------------------------- Bilder, Videos und Standortdaten, die man mit der Messaging-App Viber übermittelt, werden unverschlüsselt auf Servern gespeichert. Der Zugang dazu ist äußerst einfach. --------------------------------------------- http://futurezone.at/digital-life/sicherheitsluecke-bei-messaging-app-viber… *** Microsoft Warns of Attacks on IE Zero-Day *** --------------------------------------------- Microsoft is warning Internet Explorer users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. The vulnerability could be used to silently install malicious software without any help from users, save for perhaps merely browsing to a hacked or malicious site. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/PUm3t0AZZzc/ *** Neue Internet-Explorer-Lücke wird zum Ernstfall für Windows XP *** --------------------------------------------- Wird bereits aktiv ausgenutzt - Kein Update mehr für XP, andere Betriebssystemversion derzeit ebenfalls noch ungeschützt --------------------------------------------- http://derstandard.at/1397521804143 *** Biggest EU cyber security exercise to date: Cyber Europe 2014 taking place today *** --------------------------------------------- Today, 28 April 2014, European countries kick off the Cyber Europe 2014 (CE2014). CE2014 is a highly sophisticated cyber exercise, involving more than 600 security actors across Europe. --------------------------------------------- http://www.enisa.europa.eu/media/press-releases/biggest-eu-cyber-security-e… *** Cisco IOS XE Software Malformed L2TP Packet Vulnerability *** --------------------------------------------- A vulnerability in the Layer 2 Tunneling Protocol (L2TP) module of Cisco IOS XE on Cisco ASR 1000 Series Routers could allow an authenticated, remote attacker to cause a reload of the processing ESP card. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Security updates available for Adobe Flash Player (APSB14-13) *** --------------------------------------------- A Security Bulletin (APSB14-13) has been published regarding security updates for Adobe Flash Player. These updates address a critical vulnerability, and Adobe recommends users update their product installations to the latest versions --------------------------------------------- http://blogs.adobe.com/psirt/?p=1093

1 0

Tageszusammenfassung - Freitag 25-04-2014
by Daily end-of-shift report 25 Apr '14

25 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 24-04-2014 18:00 − Freitag 25-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Number of Sites Vulnerable to Heartbleed Plunges by Two-Thirds *** --------------------------------------------- Two weeks ago, we talked about how many sites in the top 1 million domains (as judged by Alexa) were vulnerable to the Heartbleed SSL vulnerability. How do things stand today? Figure 1. Sites vulnerable to Heartbleed as of April 22 Globally, the percentage of sites that is vulnerable to Heartbleed has fallen by two-thirds,... --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/qyKz0tQVjAY/ *** Fareit trojan observed spreading Necurs, Zbot and CryptoLocker *** --------------------------------------------- The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/XrcbQ8kwwQo/ *** It's Insanely Easy to Hack Hospital Equipment *** --------------------------------------------- When Scott Erven was given free reign to roam through all of the medical equipment used at a chain of large midwest health care facilities, he knew he would find security problems with the systems -- but he wasnt prepared for just how bad it would be. --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/39be98e1/sc/36/l/0L0Swired0N0C20A… *** Update für Windows 7 außer der Reihe *** --------------------------------------------- Windows-7-Nutzer bekommen von der Update-Funktion derzeit ein Update mit der Nummer 2952664 angeboten. Irritierend daran: Es erscheint außer der Reihe und Microsoft verrät auch nicht, welche Probleme das Update genau behebt. --------------------------------------------- http://www.heise.de/newsticker/meldung/Update-fuer-Windows-7-ausser-der-Rei… *** Acunetix 8 Scanner Buffer overflow *** --------------------------------------------- Topic: Acunetix 8 Scanner Buffer overflow Risk: High Text:#!/usr/bin/python # Title: Acunetix Web Vulnerability Scanner Buffer Overflow Exploit # Version: 8 # Build: 20120704 # Test... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040162 *** Security Notice-Statement on Patch Bypassing of Apache Struts2 *** --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Hitachi Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58022 *** Global Technology Associates GB-OS OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58007 *** Certec atvise scada OpenSSL Heartbleed Vulnerability *** --------------------------------------------- Researcher Bob Radvanovsky of Infracritical has notified NCCIC/ICS-CERT that Certec has released new libraries that mitigate the OpenSSL Heartbleed vulnerability in atvise scada.This vulnerability could be exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are known to be publicly available. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-114-01 *** Siemens SIMATIC S7-1200 CPU Web Vulnerabilities *** --------------------------------------------- Siemens ProductCERT and Ralf Spenneberg, Hendrik Schwartke, and Maik Brüggemann from OpenSource Training have reported two vulnerabilities in the Siemens SIMATIC S7-1200 CPU family. Siemens has produced a new product release that mitigates these vulnerabilities. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-114-02 *** InduSoft Web Studio Directory Traversal Vulnerability *** --------------------------------------------- This advisory was originally posted to the US-CERT secure Portal library on April 17, 2014, and is now being released to the NCCIC/ICS-CERT web site. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-107-02 *** Festo CECX-X-(C1/M1) Controller Vulnerabilities *** --------------------------------------------- K. Reid Wightman of IOActive, Inc. has identified vulnerabilities in Festo’s CECX-X-C1 and CECX-X-M1 controllers. Festo has decided not to resolve these vulnerabilities because of compatibility reasons with existing engineering tools. This places critical infrastructure asset owners using this product at risk. This advisory is being published to alert critical infrastructure asset owners of the risk of using this equipment and for them to increase compensating measures if possible. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-084-01 *** Oracle Solaris ntpd Query Function Lets Remote Users Conduct Amplified Denial of Service Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030142 *** Synology DiskStation Manager cUrl Connection Re-use and Certificate Verification Security Issues *** --------------------------------------------- https://secunia.com/advisories/58145 *** SSA-635659 (Last Update 2014-04-25): Heartbleed Vulnerability in Siemens Industrial Products *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Halon Security Router Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57507 *** HP Security Bulletins *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_…

1 0

Tageszusammenfassung - Donnerstag 24-04-2014
by Daily end-of-shift report 24 Apr '14

24 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 23-04-2014 18:00 − Donnerstag 24-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** NetSupport Information Leakage Using Nmap Script *** --------------------------------------------- NetSupport allows corporations to remotely manage and connect to PCs and servers from a central location for the purposes of desktop support. In my last post I discussed how I wrote a script using the NetSupport scripting language to find versions of NetSupport running on clients with default installations that didnt require authentication to remotely connect to them. Essentially you could use NetSupport to bypassany Domain or local credentials to remotely connect to the PC and... --------------------------------------------- http://blog.spiderlabs.com/2014/04/netsupport-information-leakage-using-nma… *** DHCPv6 and DUID Confusion, (Wed, Apr 23rd) *** --------------------------------------------- In IPv6, DHCP is taking somewhat a back seat to router advertisements. Many smaller networks are unlikely to use DHCP. However, in particular for Enterprise/larger networks, DHCPv6 still offers a lot of advantages when it comes to managing hosts and accounting for IP addresses in use. One of the big differences when it comes to DHCPv6 is that a host identifies itself with a DUID (DHCP Unique Identifier) which can be different from a MAC address. There are essentially three ways to come up with... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18015&rss *** Cisco: Hey, IT depts. Youre all malware hosts *** --------------------------------------------- Security report also notes skills shortage Everybody - at least every multinational that Cisco checked out for its 2014 Annual Security Report - is hosting malware of some kind, and there arent enough security professionals to go around. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/24/cisco_youre… *** DrDoS attacks to reach 800 Gbps in 2015 *** --------------------------------------------- While the network time protocol (NTP) DrDoS threats that became prevalent in early 2014 have been contained, new distributed reflected denial of service threats will lead to attacks in excess of 800 Gbps during the next 12 to 18 months. --------------------------------------------- http://www.net-security.org/secworld.php?id=16733 *** Zero-Day-Lücke in Apache Struts 2 *** --------------------------------------------- Durch eine kleine Abwandlung einer bereits gepatchten Lücke können Angreifer wieder Code in den Server einschleusen. --------------------------------------------- http://www.heise.de/security/meldung/Zero-Day-Luecke-in-Apache-Struts-2-217… *** Situational Awareness Alert for OpenSSL Vulnerability (Update D) *** --------------------------------------------- This alert update is a follow-up to the updated NCCIC/ICS-CERT Alert titled ICS-ALERT-14-009-01C Situational Awareness Alert for OpenSSL Vulnerability that was published April 17, 2014, on the ICS-CERT web site. --------------------------------------------- http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-099-01D *** Drupal - Vulnerabilities in Third-Party Modules *** --------------------------------------------- https://drupal.org/node/2248073 https://drupal.org/node/2248077 https://drupal.org/node/2248145 https://drupal.org/node/2248171 *** Attachmate Reflection OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1030144 *** Bugtraq: Weak firmware encryption and predictable WPA key on Sitecom routers *** --------------------------------------------- http://www.securityfocus.com/archive/1/531920 *** SSA-892012 (Last Update 2014-04-24): Web Vulnerabilities in SIMATIC S7-1200 CPU *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Vuln: Check_MK Multiple Vulnerabilities *** --------------------------------------------- http://www.securityfocus.com/bid/66389 http://www.securityfocus.com/bid/66391 http://www.securityfocus.com/bid/66394 http://www.securityfocus.com/bid/66396 *** Notice: (Revision) CUSTOMER ATTENTION REQUIRED: HP Integrated Lights-Out and Integrated Lights-Out 2 - Scanning First-Generation iLO or iLO 2 Devices for the Heartbleed Vulnerability Results in iLO Lockup Requiring Power to be PHYSICALLY Removed *** --------------------------------------------- The first-generation iLO and iLO 2 products use the RSA SSL libraries and there is a bug in these libraries that will cause first-generation iLO and iLO 2 devices to enter a live lockup situation when a vulnerability scanner runs to check for the Heartbleed vulnerability. Although the servers operating system will continue to function normally, first-generation iLO and iLO 2 will no longer be responsive over the management network. --------------------------------------------- http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDispl… *** HPSBHF03006 rev.1 - HP Integrated Lights-Out 2 (iLO 2) Denial of Service *** --------------------------------------------- A potential security vulnerability has been identified in HP Integrated Lights-Out 2 (iLO 2) servers that allows for a Denial of Service. The denial of service condition occurs only when the iLO 2 is scanned by vulnerability assessment tools that test for CVE-2014-0160 (Heartbleed vulnerability). --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** HP Security Bulletins for CVE 2014-0160 *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Vuln: EMC Connectrix Manager Converged Network Edition Remote Information Disclosure Vulnerability *** --------------------------------------------- http://www.securityfocus.com/bid/66308

1 0

Tageszusammenfassung - Mittwoch 23-04-2014
by Daily end-of-shift report 23 Apr '14

23 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 22-04-2014 18:00 − Mittwoch 23-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Wartungsarbeiten Mailing-Listen-Server 24. April 2014 *** --------------------------------------------- Am Nachmittag des 24. April werden wir Wartungsarbeiten an unserem Mailing-Listen-Server (lists.cert.at) durchführen. Auswirkungen: verzögerte Zustellung von Listen-Mails Administrations-Interface (Subscribe/Unsubscribe etc.) der Mailing-Listen nicht verfügbar Mailing-Listen-Archive nicht verfügbar. Wir werden uns bemühen, die Ausfälle so kurz wie möglich zu halten, können jedoch keine genaue... --------------------------------------------- http://www.cert.at/services/blog/20140423085410-1134.html *** DBIR: Poor Patching, Weak Credentials Open Door to Data Breaches *** --------------------------------------------- Weak or default credentials, poor configurations and a lack of patching are common denominators in most data breaches, according to the 2014 Verizon Data Breach Investigations Report. --------------------------------------------- http://threatpost.com/dbir-poor-patching-weak-credentials-open-door-to-data… *** Millions Feedly users vulnerable to Javascript Injection attack *** --------------------------------------------- A security researcher discovered a serious Javascript Injection vulnerability in the popular Feedly Android App impacting Millions Users. --------------------------------------------- http://securityaffairs.co/wordpress/24209/hacking/feedly-javascript-vulnera… *** Apple stopft Sicherheitslücken in iOS, OS X und WLAN-Basisstationen *** --------------------------------------------- Die Updates sollen kritische Schwachstellen in Apples Betriebssystemen beseitigen - darunter eine weitere Lücke, die das Ausspähen von SSL-Verbindungen erlaubt. Für die AirPort-Stationen steht ein Heartbleed-Fix bereit. --------------------------------------------- http://www.heise.de/security/meldung/Apple-stopft-Sicherheitsluecken-in-iOS… *** Operation Francophoned: The Persistence and Evolution of a Dual-Pronged Social Engineering Attack *** --------------------------------------------- Operation Francophoned, first uncovered by Symantec in May 2013, involved organizations receiving direct phone calls and spear phishing emails impersonating a known telecommunication provider in France, all in an effort to install malware and steal information and ultimately money from targets. --------------------------------------------- http://www.symantec.com/connect/blogs/operation-francophoned-persistence-an… *** Blog: An SMS Trojan with global ambitions *** --------------------------------------------- Recently, we’ve seen SMS Trojans starting to appear in more and more countries. One prominent example is Trojan-SMS.AndroidOS.Stealer.a: this Trojan came top in Kaspersky Lab's recent mobile malware ТОР 20. It can currently send short messages to premium-rate numbers in 14 countries around the world. --------------------------------------------- http://www.securelist.com/en/blog/8209/An_SMS_Trojan_with_global_ambitions *** ISC stellt Entwicklung an seinem BIND10-DNS-Server ein *** --------------------------------------------- Das Unternehmen hat die letzte von ihm entwickelte Version veröffentlicht und zieht sich aus der weiteren Entwicklung zurück. Dabei sollte BIND10 ursprünglich BIND9 ablösen, das seinerzeit Hochleistungs-Server nur unzureichend ausschöpfen konnte. --------------------------------------------- http://www.heise.de/newsticker/meldung/ISC-stellt-Entwicklung-an-seinem-BIN… *** Nine patterns make up 92 percent of security incidents *** --------------------------------------------- Verizon security researchers have found that 92 percent of the 100,000 security incidents analyzed over the past ten years can be traced to nine basic attack patterns that vary from industry to industry. --------------------------------------------- http://www.net-security.org/secworld.php?id=16725 *** Dissecting the unpredictable DDoS landscape *** --------------------------------------------- DDoS attacks are now more unpredictable and damaging than ever, crippling websites, shutting down operations, and costing millions of dollars in downtime, customer support and brand damage, according to Neustar. --------------------------------------------- http://www.net-security.org/secworld.php?id=16726 *** Special Edition of OUCH: Heartbleed - Why Do I Care? http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-2014-special_e…, (Wed, Apr 23rd) *** --------------------------------------------- -- Alex Stanford - GIAC GWEB, Research Operations Manager, SANS Internet Storm Center (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=18013&rss *** Apple splats new SSL snooping bug in iOS, OS X - but its no Heartbleed *** --------------------------------------------- Triple-handshake flaw stalks Macs and iThings Apple has squashed a significant security bug in its SSL engine for iOS and OS X as part of a slew of patches for iThings and Macs. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/23/apple_ssl_u… *** Joomla Plugin Constructor Backdoor *** --------------------------------------------- We recently wrote about backdoors in pirated commercial WordPress plugins. This time it will be a short post about an interesting backdoor we found in a Joomla plugin. It was so well organized that at first we didn't realize there was a backdoor even though we knew something was wrong. That's how the code of... --------------------------------------------- http://blog.sucuri.net/2014/04/joomla-plugin-constructor-backdoor.html *** Citrix Security Advisory for CVE-2014-0160, aka the Heartbleed vulnerability *** --------------------------------------------- A vulnerability has been recently disclosed in OpenSSL that could result in remote attackers being able to obtain sensitive data from the process address space of a vulnerable OpenSS... --------------------------------------------- http://support.citrix.com/article/CTX140605 *** IBM PSIRT - OpenSSL Heartbleed (CVE-2014-0160) *** --------------------------------------------- We will continue to update this blog to include information about products. The following is a list of products affected by the Heartbleed vulnerability. Please follow the links below to view the security bulletins for the affected products. --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/openssl_heartbleed_cv… *** Information on Norton products and the Heartbleed vulnerability *** --------------------------------------------- This article answers many of the questions that are currently being asked about the Heartbleed bug and the role that Norton products play in defending against this attack. --------------------------------------------- https://support.norton.com/sp/en/us/home/current/solutions/v98431836_EndUse… *** OpenSSL Security Vulnerability - aka. "Heartbleed Bug" - CVE-2014-0160 - Security Incident Response for D-Link Devices and Services *** --------------------------------------------- D-Link is investigating all devices and systems that utilize the OpenSSL software library to determine if our devices and customers are affected by this security vulnerability. You will find current status below and can contact us at security(a)dlink.com about specific questions. --------------------------------------------- http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10022 *** Heartbleed Vulnerability in Various Products *** --------------------------------------------- http://tomcat.apache.org/native-doc/news/2014.html http://tomcat.apache.org/native-doc/miscellaneous/changelog.html http://www.fortiguard.com/advisory/FG-IR-14-011/ http://www.sybase.com/detail?id=1099387 https://secunia.com/advisories/58188 (Symantec Multiple Products) https://secunia.com/advisories/58148 (Xerox WorkCentre 3315/3325) *** VU#350089: IBM Notes and Domino on x86 Linux specify an executable stack *** --------------------------------------------- Vulnerability Note VU#350089 IBM Notes and Domino on x86 Linux specify an executable stack Original Release date: 22 Apr 2014 | Last revised: 22 Apr 2014 Overview IBM Notes and Domino on x86 Linux are incorrectly built requesting an executable stack. This can make it easier for attackers to exploit vulnerabilities in Notes, Domino, and any of the child processes that they may spawn. Description The build environment for the x86 Linux versions of IBM Notes and Domino incorrectly specified the... --------------------------------------------- http://www.kb.cert.org/vuls/id/350089 *** Cisco ASA SIP Inspection Memory Leak Vulnerability *** --------------------------------------------- A vulnerability in the Session Initiation Protocol (SIP) inspection engine code could allow an unauthenticated, remote attacker to cause a slow memory leak, which may cause instability on the affected system. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** AirPort Extreme and AirPort Time Capsule OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information *** --------------------------------------------- http://www.securitytracker.com/id/1030132 *** Apple OS X Multiple Bugs Let Remote Users Execute Arbitrary Code and Deny Service and Local Users Gain Elevated Privileges *** --------------------------------------------- http://www.securitytracker.com/id/1030133 *** Sixnet Sixview 2.4.1 Directory Traversal *** --------------------------------------------- Topic: Sixnet Sixview 2.4.1 Directory Traversal Risk: Medium Text:#Exploit Title: Sixnet sixview web console directory traversal #Date: 2014-04-21 #Exploit Author: daniel svartman #Vendor Ho... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040150 *** Parallels Plesk Panel 12.x Key Disclosure *** --------------------------------------------- Topic: Parallels Plesk Panel 12.x Key Disclosure Risk: High Text:While auditing the source code for Parallels Plesk Panel 12.x on Linux I noticed the following feature that leads to leakage o... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040151 *** [2014-04-23] Path Traversal/Remote Code Execution in WD Arkeia Network Backup Appliances *** --------------------------------------------- An unauthenticated remote attacker can exploit the identified Path Traversal vulnerability in order to retrieve arbitrary files from the affected WD Arkeia Network Backup appliances and execute system commands. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Security Advisory-Improper Input Validation Vulnerability on Multiple Quidway Switch Products *** --------------------------------------------- Once exploited, the vulnerability might cause a excessive resource (e.g. memory) consumption of the vulnerable system and even cause the system to restart in serious cases. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** HP Security Bulletins *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** Security Advisories Relating to Symantec Products - Symantec Messaging Gateway Management Console Reflected XSS *** --------------------------------------------- Symantec's Messaging Gateway management console is susceptible to a reflected cross-site scripting (XSS) issue found in one of the administrative interface pages. Successful exploitation could result in potential session hijacking or unauthorized actions directed against the console with the privileges of the targeted user's browser. --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… *** Security Bulletin: IBM Sterling Order Management is affected by Cross Site Scripting (XSS) Vulnerability (CVE-2014-0932) *** --------------------------------------------- IBM Sterling Order Management is vulnerable to a cross-site scripting attack which could lead to unauthorized access through the injected scripts. --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21670912 *** Django Security Issue and Multiple Vulnerabilities *** --------------------------------------------- A security issue and multiple vulnerabilities have been reported in Django, which can be exploited by malicious people to potentially disclose certain sensitive information, manipulate certain data, and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/58201 *** Hitachi Multiple Cosminexus / uCosminexus Products Java Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58197 *** Hitachi Multiple Cosminexus / uCosminexus Products SSL/TLS Initialization Vector Selection Weakness *** --------------------------------------------- https://secunia.com/advisories/58240

1 0

Tageszusammenfassung - Dienstag 22-04-2014
by Daily end-of-shift report 22 Apr '14

22 Apr '14

======================= = Heartbleed Report = = a.k.a = = End-of-Shift report = ======================= Timeframe: Freitag 18-04-2014 18:00 − Dienstag 22-04-2014 18:00 Handler: Stephan Richter Co-Handler: n/a *** Amplification, reflection DDoS attacks increase 35 percent in Q1 2014 *** --------------------------------------------- The Q1 2014 Global DDoS Attack Report reveals that amplification and reflection distributed denial-of-service attacks are on the rise. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/GljZsrx9WMs/ *** Das Router-Desaster: Fritzbox-Update gerät ins Stocken *** --------------------------------------------- Aktuelle Scan-Ergebnisse belegen, dass die Verbreitung des kritischen Sicherheits-Updates kaum voranschreitet. In vielen Fällen werden verwundbare Fritzboxen sogar noch mit aktivem Fernzugriff betrieben - eine gefährliche Mischung. --------------------------------------------- http://www.heise.de/security/meldung/Das-Router-Desaster-Fritzbox-Update-ge… *** Home entertainment implementations are pretty appaling *** --------------------------------------------- I picked up a Panasonic BDT-230 a couple of months ago. Then I discovered that even though it appeared fairly straightforward to make it DVD region free (I have a large pile of PAL region 2 DVDs), the US models refuse to play back PAL content. We live in an era of software-defined functionality. While Panasonic could have designed a separate hardware SKU with a hard block on PAL output, that would seem like unnecessary expense. So, playing with the firmware seemed like a reasonable... --------------------------------------------- http://mjg59.dreamwidth.org/31178.html *** OpenSSL Rampage, (Mon, Apr 21st) *** --------------------------------------------- OpenSSL, in spite of its name, isnt really a part of the OpenBSD project. But as one of the more positive results of the recent Heartbleed fiasco, the OpenBSD developers, who are known for their focus on readable and secure code, have now started a full-scale review and cleanup of the OpenSSL codebase. If you are interested in writing secure code in C (not necessarily a contradiction in terms), I recommend you take a look at http://opensslrampage.org/archive/2014/4, where the OpenBSD-OpenSSL... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17997&rss *** Mysterious iOS malware campaign has Chinese origins *** --------------------------------------------- The threat, dubbed "Unflod Baby Panda," was discovered by Reddit users and analyzed by researchers at the German-based security firm, SektionEins. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/_EB9Qixb5Vk/ *** Easter egg: DSL router patch merely hides backdoor instead of closing it *** --------------------------------------------- Researcher finds secret "knock" opens admin for some Linksys, Netgear routers. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/MBqOOgJa9Ng/ *** Feedly fixes Android JavaScript code injection flaw, deems it "harmless" *** --------------------------------------------- A researcher wrote about a bug in the Android app for news aggregator Feedly that could enable JavaScript code injection, but even though it was fixed, the company did not really consider it a vulnerability. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/lZyhHF8qR8o/ *** Report: Google looks to integrate PGP with Gmail *** --------------------------------------------- Pretty Good Privacy, or PGP, is an encryption method that was created in the early 90s. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/pxVEyRndi7A/ *** Weekly Metasploit Update: Heartbleed and Firefox Passwords *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/04/17/weekly-me… *** Critical update makes P2P Zeus trojan even tougher to remove *** --------------------------------------------- An update to the P2P Zeus banking trojan results in the installation of a rootkit driver that makes deleting the malware even tougher. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/EIQ5YrV1__8/ *** Sicherheitslücke beim Netzwerkmonitor Nagios *** --------------------------------------------- Der "Nagios Remote Plugin Executor" führt unter Umständen eingeschleuste Befehle aus. Diese Umstände deuten allerdings schon auf eine generell unsichere Konfiguration hin. --------------------------------------------- http://www.heise.de/security/meldung/Sicherheitsluecke-beim-Netzwerkmonitor… *** Ein Viertel der Internetnutzer wechselt nie die Passwörter *** --------------------------------------------- Trotz Heartbleed wechselt weiterhin rund ein Viertel aller deutschen Internetnutzer nie ihr Passwort. Ein Drittel der Befragten verwendet ein Passwort auf mehreren Plattformen. --------------------------------------------- http://futurezone.at/digital-life/ein-viertel-der-internetnutzer-wechselt-n… *** Heartbleed und das Sperrproblem von SSL *** --------------------------------------------- Nach dem Beseitigen des Heartbleed-Problems sperrten viele Admins vorsorglich ihre SSL-Zertifikate und besorgten sich neue. Trotzdem bedeuten geklaute Server-Schlüssel auch weiterhin ein Problem - denn das Sperren funktioniert eigentlich nicht. --------------------------------------------- http://www.heise.de/security/meldung/Heartbleed-und-das-Sperrproblem-von-SS… *** OpenSSL ssl3_read_bytes denial of service *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92632 *** Alert for CVE-2014-0160 *** --------------------------------------------- This Security Alert addresses CVE-2014-0160 ('Heartbleed'), a publicly disclosed vulnerability which affects multiple OpenSSL versions implemented by various vendors in their products. This vulnerability affects multiple Oracle products. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality of systems that are running affected versions of OpenSSL. According to http://heartbleed.com, the compromised data may contain passwords, private keys, and other sensitive information. In some instances, this information could be used by a malicious attacker to log into systems using a stolen identity or decrypt private information that was sent months or years ago. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-21907… *** Winamp Buffer Overflow and Pointer Dereference Bugs Let Remote Users Execute Arbitrary Code *** --------------------------------------------- http://www.securitytracker.com/id/1030107 *** VMSA-2014-0004.6 *** --------------------------------------------- VMware product updates address OpenSSL security vulnerabilities --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0004.html *** F5 - Various Vulnerabilities in Multiple Products *** --------------------------------------------- https://secunia.com/advisories/58157 https://secunia.com/advisories/58159 https://secunia.com/advisories/58154 https://secunia.com/advisories/58160 *** Check Point Mobile VPN for iOS and for Android OpenSSL Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57947 *** VU#622950: Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed *** --------------------------------------------- Vulnerability Note VU#622950 Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed Original Release date: 21 Apr 2014 | Last revised: 21 Apr 2014 Overview Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that can be reversed. (CWE-328) Description Toshiba Global Commerce Solutions 4690 Point of Sale operating system contains a password hashing algorithm that --------------------------------------------- http://www.kb.cert.org/vuls/id/622950 *** Bugzilla Input Validation Flaw Permits Cross-Site Request Forgery Attacks *** --------------------------------------------- http://www.securitytracker.com/id/1030128 *** SonicWALL Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58146 *** CA Multiple Products OpenSSL TLS/DTLS Heartbeat Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58019 *** Tenable SecurityCenter OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58182 *** IBM OS/400 Weakness and Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57826 *** ADTRAN Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58172 *** Vulnerabilities in multiple HP Products *** --------------------------------------------- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_… *** BlackBerry Enterprise Service OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58244 *** IBM Security Bulletins *** --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ds8… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ope… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/title_ibm_endpoint_ma… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pow… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entryhttps://www-304.ibm.co… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_fle… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ts3… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_pow… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm… https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_san…

1 0

Tageszusammenfassung - Freitag 18-04-2014
by Daily end-of-shift report 18 Apr '14

18 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 17-04-2014 18:00 − Freitag 18-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Looking for malicious traffic in electrical SCADA networks - part 2 - solving problems with DNP3 Secure Authentication Version 5, (Thu, Apr 17th) *** --------------------------------------------- I received this week a very valuable e-mail from the DNP Technical Committee Chair, Mr. Adrew West, who pointed an excellent observation and its the very slow adoption of DNP3 Secure Authentication Version 5, which is the latest security enhancement for the DNP3 protocol. I want to talk today about this standard and the advantages of adopting it into your DNP3 SCADA system. This standard has two specific objectives: Help DNP3 outstation to determine beyond any reasonable doubt that its... --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17981&rss *** Heartbleed Bug Sends Bandwidth Costs Skyrocketing *** --------------------------------------------- The exposure of the Heartbleed vulnerability last week had a number of repercussions, one of which was to set off a mad scramble by companies to revoke the SSL certificates for their domains and services and obtain new ones. The total costs of Heartbleed are yet to be calculated, but CloudFlare has come up with... --------------------------------------------- http://feeds.wired.com/c/35185/f/661467/s/397cb2f7/sc/5/l/0L0Swired0N0C20A1… *** Heartbleed bereitet Anonymisierungsnetzwerk Tor Schwierigkeiten *** --------------------------------------------- Rund ein Fünftel der Exit Nodes von OpenSSL-Lücke betroffen - Vorschlag diese aus dem Netz zu werfen... --------------------------------------------- http://derstandard.at/1397520979826 *** Mac OS X Trojans display ads *** --------------------------------------------- April 16, 2014 Malicious programs designed to generate a profit for intruders by displaying annoying ads are very common, but until recently they have mostly been a nuisance for Windows users. Thats why a few Trojans that were recently examined by Doctor Webs security researchers stand out among such applications... --------------------------------------------- http://news.drweb.com/show/?i=4352&lng=en&c=9 *** Heartbleed Update *** --------------------------------------------- Adobe has evaluated the Creative Cloud and its related services (including Behance and Digital Publishing Suite), the Marketing Cloud solutions and products (including Analytics, Analytics Premium and Experience Manager), EchoSign, Acrobat.com, the Adobe.com store, and other Adobe services. All Adobe internet-facing services known to have been using a version of OpenSSL containing the Heartbleed vulnerability have been mitigated. We are continuing our analysis of Adobe internet-facing servers to identify and remediate any remaining Heartbleed-related risks. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1085 *** Security Advisory-OpenSSL Heartbeat Extension vulnerability (Heartbleed bug) on Huawei multiple products *** --------------------------------------------- Some OpenSSL software versions used in multiple Huawei products have the following OpenSSL vulnerability. Unauthorized remote attackers can dump 64 Kbytes of memory of the connected server or client in each attack. The leaked memory may contain sensitive information, such as passwords and private keys (Vulnerability ID: HWPSIRT-2014-0414). --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisor… *** McAfee Security Bulletin - OpenSSL Heartbleed vulnerability patched in McAfee products *** --------------------------------------------- Several McAfee products are vulnerable to OpenSSL Heartbleed. See the McAfee Product Vulnerability Status lists below for the status of each product. --------------------------------------------- https://kc.mcafee.com/corporate/index?page=content&id=SB10071 *** Nagios Remote Plugin Executor 2.15 Remote Command Execution *** --------------------------------------------- Topic: Nagios Remote Plugin Executor 2.15 Remote Command Execution Risk: High Text: - Release date: 17.04.2014 - Discovered by: Dawid Golunski - Severity: High I. VULNER... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040126 *** MariaDB Multiple Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/58106 *** Debian update for qemu and qemu-kvm *** --------------------------------------------- https://secunia.com/advisories/58088 *** OpenVZ update for kernel *** --------------------------------------------- https://secunia.com/advisories/58060

1 0

Tageszusammenfassung - Donnerstag 17-04-2014
by Daily end-of-shift report 17 Apr '14

17 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 16-04-2014 18:00 − Donnerstag 17-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Entwickler-Modus gefährdet Blackberries *** --------------------------------------------- Bei aktiviertem Entwickler-Modus können Angreifer über das WLAN oder die USB-Verbindung Schadcode mit vollen Root-Rechten ausführen. Wird der Modus wieder abgeschaltet, ist das Gerät immer noch bis zum nächsten Neustart angreifbar. --------------------------------------------- http://www.heise.de/security/meldung/Entwickler-Modus-gefaehrdet-Blackberri… *** Heartbleed: BSI sieht keinen Grund für Entwarnung *** --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik sieht beim "Heartbleed Bug" weiteren Handlungsbedarf. Kleinere Websites sind nach wie vor verwundbar, auch nehmen Angreifer jetzt andere Dienste ins Visier. --------------------------------------------- http://www.heise.de/security/meldung/Heartbleed-BSI-sieht-keinen-Grund-fuer… *** Bugtraq: [SECURITY] [DSA 2907-1] Announcement of long term support for Debian oldstable *** --------------------------------------------- http://www.securityfocus.com/archive/1/531856 *** mAdserve id SQL injection *** --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92545 *** SA-CONTRIB-2014-041 - Block Search - SQL Injection *** --------------------------------------------- Advisory ID: DRUPAL-SA-CONTRIB-2014-041 Project: Block Search (third-party module) Version: 6.x Date: 2014-April-16 Security risk: Highly critical Exploitable from: Remote Vulnerability: SQL Injection Description: Block Search module provides an alternative way of managing blocks.The module doesnt properly use Drupals database API resulting in user-provided strings being passed directly to the database allowing SQL Injection.This vulnerability is mitigated by the fact that an attacker must either use a --------------------------------------------- https://drupal.org/node/2242463 *** SA-CORE-2014-002 - Drupal core - Information Disclosure *** --------------------------------------------- Advisory ID: DRUPAL-SA-CORE-2014-002 Project: Drupal core Version: 6.x, 7.x Date: 2014-April-16 Security risk: Moderately critical Exploitable from: Remote Vulnerability: Information Disclosure Description: Drupals form API has built-in support for temporary storage of form state, for example user input. This is often used on multi-step forms, and is required on Ajax-enabled forms in order to allow the Ajax calls to access and update interim user input on the server.When pages are cached for anonymous --------------------------------------------- https://drupal.org/SA-CORE-2014-002 *** Heartbleed CRL Activity Spike Found, (Wed, Apr 16th) *** --------------------------------------------- It looks like, as I had suspected, the CRL activity numbers we have been seeing did not reflect the real volume caused by the OpenSSL Heartbleed bug. This evening I noticed a massive spike in the amount of revocations being reported by this CRL: http://crl.globalsign.com/gs/gsorganizationvalg2.crl The spike is so large that we initially thought it was a mistake, but we have since confirmed that its real! Were talking about over 50,000 unique recovations from a single CRL: This is by an order --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17977&rss *** Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too *** --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/cz_Y-Ayd5tw/ *** OpenSSL-Bug Heartbleed: Die meisten Router sind laut Herstellerangaben nicht verwundbar *** --------------------------------------------- Die meisten Router-Hersteller geben an, ältere OpenSSL-Versionen zu nutzen. Etliche liefern aber keine Belege dafür, dass ihre Geräte nicht verwundbar sind. Sicherheitsbewusste Nutzer müssen also die Ärmel hochkrempeln und die Geräte selbst testen. --------------------------------------------- http://www.heise.de/security/meldung/OpenSSL-Bug-Heartbleed-Die-meisten-Rou… *** SAP Router Password Timing Attack *** --------------------------------------------- Topic: SAP Router Password Timing Attack Risk: High Text:Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ SAP Router Password Timing Attack 1. *Advisory Inf... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040118 *** Whats worse than Heartbleed? Bugs in Heartbleed detection scripts. *** --------------------------------------------- As of the writing of this blog post, Nessus, Metasploit, Nmap, and others have released methods for detecting whether your systems are affected. The problem is, most of them have bugs themselves which lead to false negatives results, that is, a result which says a system is not vulnerable when in reality it is. With many people likely running detection scripts or other scans against hosts to check if they need to be patched, it is important that these bugs be addressed before too many people --------------------------------------------- http://www.hut3.net/blog/cns---networks-security/2014/04/14/bugs-in-heartbl… *** Definitionsupdate für Microsoft-Virenscanner bremst Windows XP aus *** --------------------------------------------- http://derstandard.at/1397520906230 *** Zugriff auf SMS-Nachrichten und Tor-Traffic dank Heartbleed *** --------------------------------------------- Hackern ist es gelungen, die von SMS-Gateways verschickten Nachrichten auszulesen - Tokens zur Zwei-Faktor-Authentisierung inklusive. Und auch Tor-Exitnodes geben beliebige Speicherinhalte preis. --------------------------------------------- http://www.heise.de/security/meldung/Zugriff-auf-SMS-Nachrichten-und-Tor-Tr… *** Bleichenbacher-Angriff: TLS-Probleme in Java *** --------------------------------------------- In der TLS-Bibliothek von Java wurde ein Problem gefunden, welches unter Umständen das Entschlüsseln von Verbindungen erlaubt. Es handelt sich dabei um die Wiederbelebung eines Angriffs, der bereits seit 1998 bekannt ist. (Java, Technologie) --------------------------------------------- http://www.golem.de/news/bleichenbacher-angriff-tls-probleme-in-java-1404-1…

1 0

Tageszusammenfassung - Mittwoch 16-04-2014
by Daily end-of-shift report 16 Apr '14

16 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 15-04-2014 18:00 − Mittwoch 16-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner *** Phishing-Mail: BSI warnt vor BSI-Warnung *** --------------------------------------------- Die regelmäßigen Warnungen des BSI vor gehackten Online-Konten haben offenbar Kriminelle zu einer Phishing-Attacke animiert. Von "verdachtigen Aktivitäten" und "anwaltlichen Schritten" ist darin die Rede. (Phishing, Internet) --------------------------------------------- http://www.golem.de/news/phishing-mail-bsi-warnt-vor-bsi-warnung-1404-10589… *** RSA BSAFE Micro Edition Suite security bypass *** --------------------------------------------- RSA BSAFE Micro Edition Suite (MES) could allow a remote attacker to bypass security restrictions, caused by an error within the certificate chain processing logic. An attacker could exploit this vulnerability to create an improperly authenticated SSL connection. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92408 *** Chef Multiple Vulnerabilities *** --------------------------------------------- Chef Software has acknowledged multiple security issues and vulnerabilities in Chef, which can be exploited by malicious people to conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/57836 *** WordPress Twitget Plugin Cross-Site Request Forgery Vulnerability *** --------------------------------------------- dxwsecurity has reported a vulnerability in the Twitget plugin for WordPress, which can be exploited by malicious people to conduct cross-site request forgery attacks. The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. change plugin configuration settings when a logged-in administrative user visits a specially crafted web page. --------------------------------------------- https://secunia.com/advisories/57892 *** Critical Patch Update - April 2014 *** --------------------------------------------- Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Products and Versions column. --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html *** Innominate mGuard OpenSSL HeartBleed Vulnerability *** --------------------------------------------- OVERVIEW Researcher Bob Radvanovsky of Infracritical has notified NCCIC/ICS-CERT that Innominate has released a new firmware version that mitigates the OpenSSL HeartBleed vulnerability in the mGuard products.This vulnerability could be exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are known to be publicly available.AFFECTED PRODUCTSThe following Innominate mGuard versions are affected: --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-105-02 *** Siemens Industrial Products OpenSSL HeartBleed Vulnerability *** --------------------------------------------- OVERVIEWSiemens reported to NCCIC/ICS-CERT a list of products affected by the OpenSSL vulnerability (known as 'Heartbleed'). Joel Langill of Infrastructure Defense Security Services reported to ICS-CERT and Siemens the OpenSSL vulnerability affecting the S7-1500.Siemens has produced an update and Security Advisory (SSA-635659) that mitigates this vulnerability in eLAN and is currently working on updates for the other affected products. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-105-03 *** Looking for malicious traffic in electrical SCADA networks - part 1, (Tue, Apr 15th) *** --------------------------------------------- When infosec guys are performing intrusion detection, they usually look for attacks like portscans, buffer overflows and specific exploit signature. For example, remember OpenSSL heartbleed vulnerability? --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17967&rss *** New Feature: Monitoring Certification Revocation Lists https://isc.sans.edu/crls.html, (Wed, Apr 16th) *** --------------------------------------------- Certificate Revocation Lists (“CRLs”) are used to track revoked certificates. Your browser will download these lists to verify if a certificate presented by a web site has been revoked. The graph above shows how many certificates were revoked each day by the different CRLs we are tracking. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17969&rss *** Adobe Flash ExternalInterface Use-After-Free *** --------------------------------------------- VUPEN Vulnerability Research Team discovered a critical vulnerability in Adobe Flash. The vulnerability is caused by a use-after-free error when interacting with the "ExternalInterface" class from the browser, which could be exploited to achieve code execution via a malicious web page. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040102 *** Netgear N600 Password Disclosure / Account Reset *** --------------------------------------------- While i was lurking around the Netgear firmware today i came across various tweaking and others i was able to find a password disclosure,File uploading vulnerably which could compromise the entire router.as of now no patch from the vendor. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040101 *** Apache Syncope 1.0.8 / 1.1.6 Code Execution *** --------------------------------------------- In the various places in which Apache Commons JEXL expressions are allowed (derived schema definition, user / role templates, account links of resource mappings) a malicious administrator can inject Java code that can be executed remotely by the JEE container running the Apache Syncope core. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040106 *** Bugtraq: CVE-2014-2735 - WinSCP: missing X.509 validation *** --------------------------------------------- A user can not recognize an easy to perform man-in-the-middle attack, because the client does not validate the "Common Name" of the servers X.509 certificate. In networking environment that is not trustworthy, like a wifi network, using FTP AUTH TLS with WinSCP the servers identity can not be trusted. --------------------------------------------- http://www.securityfocus.com/archive/1/531847 *** Qemu: out of bounds buffer access, guest triggerable via IDE SMART *** --------------------------------------------- An out of bounds memory access flaw was found in Qemu's IDE device model. It leads to Qemu's memory corruption via buffer overwrite(4 bytes). It occurs while executing IDE SMART commands. A guest's user could use this flaw to corrupt Qemu process's memory on the host. --------------------------------------------- http://seclists.org/oss-sec/2014/q2/116 *** Hintergrund: Warum wir Forward Secrecy brauchen *** --------------------------------------------- Der SSL-GAU zeigt nachdrücklich, dass Forward Secrecy kein exotisches Feature für Paranoiker ist. Es ist vielmehr das einzige, was uns noch vor einer vollständigen Komplettüberwachung aller Kommunikation durch die Geheimdienste schützt. --------------------------------------------- http://www.heise.de/security/artikel/Warum-wir-Forward-Secrecy-brauchen-217…

1 0

Tageszusammenfassung - Dienstag 15-04-2014
by Daily end-of-shift report 15 Apr '14

15 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 14-04-2014 18:00 − Dienstag 15-04-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Barracuda Multiple Products OpenSSL TLS/DTLS Heartbeat Two Information Disclosure Vulnerabilities *** --------------------------------------------- https://secunia.com/advisories/57869 *** DSA-2903 strongswan *** --------------------------------------------- http://www.debian.org/security/2014/dsa-2903 *** Occupy Your Icons Silently on Android *** --------------------------------------------- FireEye mobile security researchers have discovered a new Android security issue: a malicious app with normal protection level permissions can probe icons on Android home screen and modify them to point to phishing .. --------------------------------------------- http://www.fireeye.com/blog/uncategorized/2014/04/occupy_your_icons_silentl… *** From the Trenches: AV Evasion With Dynamic Payload Generation *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/04/14/from-the-… *** Critical Patch Update - April 2014 - Pre-Release Announcement *** --------------------------------------------- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html *** First Phase of TrueCrypt Audit Turns Up No Backdoors *** --------------------------------------------- A initial audit of the popular open source encryption software TrueCrypt turned up fewer than a dozen vulnerabilities, none of which so far point toward a backdoor surreptitiously inserted into the codebase. A report on the first phase of the audit was released .. --------------------------------------------- http://beta.slashdot.org/story/200749 *** Microsoft Confirms It Is Dropping Windows 8.1 Support *** --------------------------------------------- Microsoft TechNet blog makes clear that Windows 8.1 will not be patched, and that users must get Windows 8.1 Update if they want security patches, InfoWorlds Woody Leonhard reports. In what is surely the most customer-antagonistic move of the new Windows regime, Steve Thomas at Microsoft posted a TechNet article on Saturday stating categorically that Microsoft will .. --------------------------------------------- http://tech.slashdot.org/story/14/04/15/0053213/microsoft-confirms-it-is-dr… *** VMware reveals 27-patch Heartbleed fix plan *** --------------------------------------------- Go buy your vSysadmins a big choccy egg: their Easter in peril VMware has confirmed that 27 of its products need patches for the Heartbleed bug. --------------------------------------------- http://www.theregister.co.uk/2014/04/15/vmware_reveals_27patch_heartbleed_f… *** Cyberwar-Doku "netwars / out of CTRL": Webdoc bei heise *** --------------------------------------------- heise online präsentiert parallel zur Arte-Doku den ersten Teil der innovativen Multimedia-Dokumentation zum Thema Cyberwar. Sie entscheiden selbst, ob Sie beispielsweise lieber Details zu Stuxnet oder einen Kommentar des Star-Hackers FX sehen möchten. --------------------------------------------- http://www.heise.de/newsticker/meldung/Cyberwar-Doku-netwars-out-of-CTRL-We… *** Samsung Galaxy S5: Fingerabdrucksensor auch schon gehackt *** --------------------------------------------- Mit einer für das iPhone 5S entwickelten Fingerkuppenattrappe trickste Ben Schlabs die Sperre des neuen Samsung-Flagschiffs aus. Er konnte damit dann sogar Geld überweisen. --------------------------------------------- http://www.heise.de/security/meldung/Samsung-Galaxy-S5-Fingerabdrucksensor-… *** SSA-364879 (Last Update 2014-04-15): Vulnerabilities in SINEMA Server *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** SSA-654382 (Last Update 2014-04-15): Vulnerabilities in SIMATIC S7-1200 CPU *** --------------------------------------------- https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_securit… *** Akamai Withdraws Proposed Heartbleed Patch *** --------------------------------------------- As researchers demonstrate OpenSSL bug exploits that retrieve private keys, Akamai rescinds a patch suggestion for the SSL/TLS library after a security researcher punches holes in it. --------------------------------------------- http://www.darkreading.com/application-security/akamai-withdraws-proposed-h… *** (ISC) launches cyber forensics credential in Europe *** --------------------------------------------- Information and software security professional body (ISC)2 has announced the availability of its Certified Cyber Forensics Professional certification in Europe. Registration for CCFP-EU is now open, with the first exam available on 30 April 2014 at Pearson VUE test centres across the region. The German translation of the exam is to be available from 15 June 2014. --------------------------------------------- http://www.computerweekly.com/news/2240218864/ISC2-launches-cyber-forensics… *** BSI warnt vor BSI-Mails *** --------------------------------------------- Betrüger missbrauchen den Namen des BSI für eine Phishing-Kampagne, die vorgibt, dass der Empfänger bei "illegalen Aktivitäten" erwischt wurde. Das BSI rät, den Anhang keinesfalls zu öffnen. --------------------------------------------- http://www.heise.de/security/meldung/BSI-warnt-vor-BSI-Mails-2170549.html *** Hardware Giant LaCie Acknowledges Year-Long Credit Card Breach *** --------------------------------------------- Computer hard drive maker LaCie has acknowledged that a hacker break-in at its online store exposed credit card numbers and contact information on customers for the better part of the past .. --------------------------------------------- http://krebsonsecurity.com/2014/04/hardware-giant-lacie-acknowledges-year-l… *** Synology räumt nach Heartbleed auf: Passwort-Wechsel und Updates *** --------------------------------------------- Nachdem es durch die Heartbleed-Lücke gelang, auf Mail-Adressen und Passwörter von Synology-Nutzern zuzugreifen, fordert der Hersteller seine Kunden nun nachdrücklich zum Passwortwechsel auf. Ausserdem gibt es Security-Updates für die Synology-NAS. --------------------------------------------- http://www.heise.de/security/meldung/Synology-raeumt-nach-Heartbleed-auf-Pa… *** Exploiting CSRF under NoScript Conditions *** --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/04/15/exploitin…

1 0

Tageszusammenfassung - Montag 14-04-2014
by Daily end-of-shift report 14 Apr '14

14 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 11-04-2014 18:00 − Montag 14-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Heartbleed FAQ *** --------------------------------------------- Heartbleed FAQ11. April 2014Wir haben jetzt auch unsere Version einer FAQ zur "Heartbleed" veröffentlicht.Dieses Dokument ist kein finaler Bericht, sondern eine Bestandsaufnahme, die mit neuen Daten aktualisiert werden wird. So sind wir etwa dabei, den Status in Österreich noch genauer zu vermessen. Autor: Otmar Lendl --------------------------------------------- http://www.cert.at/services/blog/20140411232912-1127.html *** Heartbleed: Keys auslesen ist einfacher als gedacht *** --------------------------------------------- Zwei Personen ist es gelungen, private Schlüssel mit Hilfe des Heartbleed-Bugs aus einem nginx-Testserver auszulesen. Der Server gehört der Firma Cloudflare, die mit einem Wettbewerb sicherstellen wollte, dass das Auslesen privater Schlüssel unmöglich ist. (Server, OpenSSL) --------------------------------------------- http://www.golem.de/news/heartbleed-keys-auslesen-ist-einfacher-als-gedacht… *** NSA will nichts von "Heartbleed"-Lücke gewusst haben *** --------------------------------------------- In einem Bericht hatte die Nachrichtenagentur Bloomberg behauptet, die OpenSSL-Lücke sei der NSA seit zwei Jahren bekannt gewesen. Die US-Behörden wiesen das jedoch rasch zurück. --------------------------------------------- http://www.heise.de/security/meldung/NSA-will-nichts-von-Heartbleed-Luecke-… *** Heartbleed zeigt: Google muss Android-Updates in den Griff bekommen *** --------------------------------------------- Nur eine fast zwei Jahre alte Version betroffen, aber viele Millionen Geräte gefährdet - Updates unwahrscheinlich --------------------------------------------- http://derstandard.at/1397301984464 *** "Heartbleed": Noch immer tausende österreichische Webseiten betroffen *** --------------------------------------------- Sicherheitslücke findet sich auf Webservern öffentlicher Einrichtungen - Schulen und Gemeinden betroffen --------------------------------------------- http://derstandard.at/1397302008116 *** Identitätsdiebstahl: 7.500 Domain-Betreiber in Österreich betroffen *** --------------------------------------------- Das Bundeskriminalamt informiert nun alle Betreiber betroffener Domains --------------------------------------------- http://derstandard.at/1397302034346 *** OpenSSL use-after-free race condition read buffer *** --------------------------------------------- Topic: OpenSSL use-after-free race condition read buffer Risk: High Text:About two days ago, I was poking around with OpenSSL to find a way to mitigate Heartbleed. I soon discovered that in its defaul... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040079 *** Citrix VDI-in-a-Box Discloses Administrator Password to Local Users *** --------------------------------------------- http://www.securitytracker.com/id/1030068 *** Arbitrary Code Execution Bug in Android Reader *** --------------------------------------------- A security vulnerability in Adobe Reader for Android could give an attacker the ability to execute arbitrary code. --------------------------------------------- http://threatpost.com/arbitrary-code-execution-bug-in-android-reader/105421

1 0

Tageszusammenfassung - Freitag 11-04-2014
by Daily end-of-shift report 11 Apr '14

11 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 10-04-2014 18:00 − Freitag 11-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Heartbleed vendor informations / statistics *** --------------------------------------------- https://isc.sans.edu/diary/Heartbleed+vendor+notifications/17929 https://www.cert.fi/en/reports/2014/vulnerability788210.html http://securityaffairs.co/wordpress/23878/intelligence/statistics-impact-he… *** Gehackte Online-Konten: Mehr als zehn Millionen Abrufe von Sicherheitstest *** --------------------------------------------- Auch der zweite Sicherheitscheck des BSI zu gehackten Online-Konten stößt auf großes Interesse. Für Verwirrung sorgt aber weiter eine Sicherheitssperre von GMX und web.de. --------------------------------------------- http://www.golem.de/news/gehackte-online-konten-mehr-als-zehn-millionen-abr… *** The Heartbleed Hit List: The Passwords You Need to Change Right Now *** --------------------------------------------- ... it hasnt always been clear which sites have been affected. Mashable reached out to various companies included on a long list of websites that could potentially have the flaw. Below, weve rounded up the responses from some of the most popular social, email, banking and commerce sites on the web. --------------------------------------------- http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ *** Heartbleed Vulnerability Affects 5% of Select Top Level Domains from Top 1M *** --------------------------------------------- In trying to gauge the impact of the Heartbleed vulnerability, we proceeded to scanning the Top Level Domain (TLD) names of certain countries extracted from the top 1,000,000 domains by Alexa. We then proceeded to separate the sites which use SSL and further categorized those under "vulnerable" or "safe". The data we were able to... --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/heartbleed-vulne… *** Spionage-Botnet nutzte Heartbleed-Lücke schon vor Monaten aus *** --------------------------------------------- Bereits im November hat ein auf Spionage ausgelegtes Botnet offenbar versucht, durch die OpenSSL-Lücke Daten abzugreifen - möglicherweise im Auftrag eines Geheimdienstes. Die gute Nachricht ist: Die Anzahl der noch verwundbaren Server ist rückläufig. --------------------------------------------- http://www.heise.de/security/meldung/Spionage-Botnet-nutzte-Heartbleed-Luec… *** Heartbleed: Apple-Nutzer sind nicht betroffen *** --------------------------------------------- Weder Mac OS X, iOS noch Apples Dienste wie iCloud sind von der Heartbleed-Schwachstelle betroffen. Denn Apple verzichtet auf OpenSSL. Einige Apps verwenden die Kryptobibliothek jedoch. (Apple, Server-Applikationen) --------------------------------------------- http://www.golem.de/news/heartbleed-apple-nutzer-sind-nicht-betroffen-1404-… *** Heartbleed Explanation *** --------------------------------------------- http://xkcd.com/1354/ *** Critical Update for JetPack WordPress Plugin *** --------------------------------------------- The Jetpack team just released a critical security update to fix a security vulnerability in the Jetpack WordPress plugin. The vulnerability allows an attacker to bypass the site's access control and publish posts on the site. All versions of JetPack since October, 2012 (Jetpack 1.9) are vulnerable, and all users should update to version 2.9.3 --------------------------------------------- http://blog.sucuri.net/2014/04/critical-update-for-jetpack-wordpress-plugin… *** Security Updates for VMware vSphere *** --------------------------------------------- http://www.vmware.com/security/advisories/VMSA-2014-0002.html http://www.vmware.com/security/advisories/VMSA-2014-0003.html *** IBM SPSS Analytic Server Discloses Passwords to Remote Authenticated Users *** --------------------------------------------- http://www.securitytracker.com/id/1030051 *** [2014-04-11] Multiple vulnerabilities in Plex Media Server *** --------------------------------------------- Plex Media Server contains several vulnerability that allow an attacker to intercept traffic between Plex Media Server and clients in plaintext. Furthermore Cross Site Request Forgery (CSRF) vulnerabilities allow an attacker to execute privileged commands in the context of Plex Media Server. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014…

1 0

Tageszusammenfassung - Donnerstag 10-04-2014
by Daily end-of-shift report 10 Apr '14

10 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 09-04-2014 18:00 − Donnerstag 10-04-2014 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter *** Hintergrund: Passwörter in Gefahr - was nun? *** --------------------------------------------- Durch Heartbleed sind theoretisch schon wieder viele Millionen Passwörter in Gefahr. Sicherheitsexperten raten dazu, alle zu ändern. heise-Security-Chefredakteur Jürgen Schmidt schätzt das anders ein. --------------------------------------------- http://www.heise.de/security/artikel/Passwoerter-in-Gefahr-was-nun-2167584.… *** Heartbleed: 600.000 Server immer noch ungeschützt *** --------------------------------------------- Die Sicherheitslücke Heartbleed zieht immer weitere Kreise. Möglicherweise wurde die Schwachstelle schon seit Monaten ausgenutzt. --------------------------------------------- http://futurezone.at/digital-life/heartbleed-600-000-server-immer-noch-unge… *** Sicherheitslücke: Unternehmen können für Schäden durch Heartbleed haftbar sein *** --------------------------------------------- Der Heartbleed-Bug gilt als eine der gravierendsten Sicherheitslücken aller Zeiten. Millionen SSL-gesicherte Websites waren betroffen, erste Missbrauchsfälle sind bekanntgeworden. Können Unternehmen und Admins, die den Fehler nicht behoben haben, für Schäden belangt werden? Golem.de hat nachgefragt. (Ruby, OpenSSL) --------------------------------------------- http://www.golem.de/news/sicherheitsluecke-unternehmen-koennen-fuer-schaede… *** Smartphones vom SSL-GAU (fast) nicht betroffen *** --------------------------------------------- Keine der wichtigen Smartphone-Plattformen setzt in der aktuellen Version eine der für Heartbleed anfälligen OpenSSL-Bibliotheken ein. Lediglich Android-Nutzer mit einer mittelalten Version benötigen ein Update. --------------------------------------------- http://www.heise.de/security/meldung/Smartphones-vom-SSL-GAU-fast-nicht-bet… *** OpenSSL-Bug: Spuren von Heartbleed schon im November 2013 *** --------------------------------------------- Ein Systemadministrator hat angeblich in einem Logfile vom November letzten Jahres Exploit-Code für den Heartbleed-Bug gefunden. Die EFF ruft andere Administratoren zu Nachforschungen auf. (Technologie, Server) --------------------------------------------- http://www.golem.de/news/openssl-bug-spuren-von-heartbleed-schon-im-novembe… *** Kriminalität: Der Untergrund ist digital *** --------------------------------------------- Wie lässt sich gemeinsam gegen die Kriminalität 2.0 vorgehen? Die Antwort auf dem Kongress des Verbandes für Sicherheitstechnik: Verzahnung, engere Kooperationen, Zusammenarbeit & und Hoffen auf aktive Bürger und die Vorratsdatenspeicherung. --------------------------------------------- http://www.heise.de/security/meldung/Kriminalitaet-Der-Untergrund-ist-digit… *** Windows XP: Wechselmuffel im Patch-Dilemma *** --------------------------------------------- Das offizielle Ende des XP-Supports bedeutet nicht, dass keine Patches mehr im Netz auftauchen dürften. Für Nutzer könnte es aber gefährlich werden, solche Dateien zu installieren. (Microsoft, Spam) --------------------------------------------- http://www.golem.de/news/windows-xp-wechselmuffel-im-patch-dilemma-1404-105… *** "Heartbleed"-Lücke - Chance nutzen *** --------------------------------------------- Wie F-Secure in einem Blog-Post schreibt, sollten Administratoren die Aufräumarbeiten im Zuge der "Heartbleed"-Lücke auch gleich nutzen, um die entsprechenden Konfigurationen auf aktuellen Stand zu bringen. F-Secure empfiehlt dazu den OWASP Transport Layer Protection Cheat Sheet, wir schliessen uns dem an und ergänzen um das Better Crypto Hardening Paper (PDF) von bettercrypto.org. --------------------------------------------- http://www.cert.at/services/blog/20140409164644-1090.html *** JSA10623 - 2014-04 Out of Cycle Security Bulletin: Multiple products affected by OpenSSL "Heartbleed" issue (CVE-2014-0160) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10623&actp=RSS *** JSA10618 - 2014-04 Security Bulletin: Junos: Kernel panic processing high rate of crafted IGMP packets (CVE-2014-0614) *** --------------------------------------------- http://kb.juniper.net/index?page=content&id=JSA10618&actp=RSS *** OpenVPN Access Server OpenSSL TLS Heartbeat Information Disclosure Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57755 *** Multiple Vulnerabilities in Cisco ASA Software *** --------------------------------------------- Cisco Adaptive Security Appliance (ASA) Software is affected by the following vulnerabilities: Cisco ASA ASDM Privilege Escalation Vulnerability Cisco ASA SSL VPN Privilege Escalation Vulnerability Cisco ASA SSL VPN Authentication Bypass Vulnerability Cisco ASA SIP Denial of Service Vulnerability --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-…

1 0

Tageszusammenfassung - Mittwoch 9-04-2014
by Daily end-of-shift report 09 Apr '14

09 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 08-04-2014 18:00 − Mittwoch 09-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Security updates available for Adobe Flash Player (APSB14-09) *** --------------------------------------------- A Security Bulletin (APSB14-09) has been published regarding security updates for Adobe Flash Player. These updates address critical vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the security bulletin. --------------------------------------------- http://blogs.adobe.com/psirt/?p=1081 *** Assessing risk for the April 2014 security updates *** --------------------------------------------- Today we released four security bulletins addressing 11 unique CVE’s. Two bulletins have a maximum severity rating of Critical while the other two have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/04/08/assessing-risk-for-the-ap… *** Summary for April 2014 - Version: 1.0 *** --------------------------------------------- * Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution * Cumulative Security Update for Internet Explorer * Vulnerability in Windows File Handling Component Could Allow Remote Code Execution * Vulnerability in Microsoft Publisher Could Allow Remote Code Execution --------------------------------------------- http://technet.microsoft.com/en-ca/security/bulletin/ms14-apr *** WordPress 3.8.2 Security Release *** --------------------------------------------- WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately. This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies --------------------------------------------- http://wordpress.org/news/2014/04/wordpress-3-8-2/ *** OSISoft PI Interface for DNP3 Improper Input Validation *** --------------------------------------------- OVERVIEWAdam Crain of Automatak and Chris Sistrunk, Sr. Consultant for Mandiant, have identified an improper input validation vulnerability in the OSIsoft PI Interface for DNP3 product. OSIsoft has produced an update that mitigates this vulnerability. OSIsoft and Automatak have tested the new version to validate that it resolves the vulnerabilityThis vulnerability can be remotely exploited. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-098-01 *** WellinTech KingSCADA Stack-Based Buffer Overflow *** --------------------------------------------- An anonymous researcher working with HP’s Zero Day Initiative has identified a stack-based buffer overflow in the WellinTech KingSCADA Stack. WellinTech has produced a patch that mitigates this vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-098-02 *** OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products *** --------------------------------------------- Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** The April 2014 Security Updates *** --------------------------------------------- Today, we release four bulletins to address 11 CVEs in Microsoft Windows, Internet Explorer and Microsoft Office. --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/04/08/the-april-2014-security-… *** Heartbleed SSL-GAU: Neue Zertifikate braucht das Land *** --------------------------------------------- Ein simples Update reicht nicht: Nach der OpenSSL-Lücke müssen Serverbetreiber Zertifikate austauschen. Bei manchen CAs geht das kostenlos, andere Zertifikats-Anbieter und Hoster belassen es bei Warnungen. --------------------------------------------- http://www.heise.de/newsticker/meldung/Heartbleed-SSL-GAU-Neue-Zertifikate-… *** Juniper SSL VPN (IVEOS) OpenSSL TLS Heartbeat Information Disclosure Vulnerability *** --------------------------------------------- Juniper has acknowledged a vulnerability in Juniper SSL VPN (IVEOS), which can be exploited by malicious people to disclose potentially sensitive information. --------------------------------------------- https://secunia.com/advisories/57758 *** Bugtraq: CVE-2014-0160 mitigation using iptables *** --------------------------------------------- Following up on the CVE-2014-0160 vulnerability, heartbleed. We've created some iptables rules to block all heartbeat queries using the very powerful u32 module. The rules allow you to mitigate systems that can't yet be patched by blocking ALL the heartbeat handshakes. We also like the capability to log external scanners :) --------------------------------------------- http://www.securityfocus.com/archive/1/531779 *** Heartbleed vendor notifications, (Wed, Apr 9th) *** --------------------------------------------- As people are running around having an entertaining day we thought it might be a good idea to keep track of the various vendor notifications. Id like to start a list here and either via comments or sending it let us know of vendor notifications relating to this issue. Please provide comments to the original article relating to the vulnerability itself, and use this post to only provide links to vendor notifications rather than articles etc about the issue. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17929&rss *** Bugtraq: SQL Injection in Orbit Open Ad Server *** --------------------------------------------- High-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control over the vulnerable website. --------------------------------------------- http://www.securityfocus.com/archive/1/531781 *** Office für Mac: Update stopft kritische Lücke *** --------------------------------------------- Mit einer neuen OS-X-Version von Office 2011 hat Microsoft die RTF-Schwachstelle in Word beseitigt. Die Aktualisierung soll verschiedene Probleme in Outlook, Excel und Word beheben. --------------------------------------------- http://www.heise.de/security/meldung/Office-fuer-Mac-Update-stopft-kritisch… *** Sophos Web Appliance Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in Sophos Web Appliance, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an unspecified error related to the "Change Password" dialog box and can be exploited to change the administrative password. --------------------------------------------- https://secunia.com/advisories/57706 *** Security Notice-Statement on OpenSSL Heartbeat Extension Vulnerability *** --------------------------------------------- Huawei has noticed information regarding OpenSSL heartbeat extension security vulnerability and immediately launched a thorough investigation. The investigation is still ongoing. Huawei PSIRT will keep updating the SN and will provide conclusions as soon as possible. Please stay tuned. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices…

1 0

Tageszusammenfassung - Dienstag 8-04-2014
by Daily end-of-shift report 08 Apr '14

08 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 07-04-2014 18:00 − Dienstag 08-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Der GAU für Verschlüsselung im Web: Horror-Bug in OpenSSL *** --------------------------------------------- Ein äußerst schwerwiegender Programmierfehler gefährdet offenbar Verschlüsselung, Schlüssel und Daten der mit OpenSSL gesicherten Verbindungen im Internet. Angesichts der Verbreitung der OpenSource-Biliothek eine ziemliche Katastrophe. --------------------------------------------- http://www.heise.de/security/meldung/Der-GAU-fuer-Verschluesselung-im-Web-H… *** VU#568252: Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability *** --------------------------------------------- Vulnerability Note VU#568252 Websense Triton Unified Security Center 7.7.3 information disclosure vulnerability Original Release date: 07 Apr 2014 | Last revised: 07 Apr 2014 Overview Websense Triton Unified Security Center 7.7.3 and possibly earlier versions contains an information disclosure vulnerability which could allow an authenticated attacker to view stored credentials of a possibly higher privileged user. Description CWE-200: Information ExposureWhen logged into the Websense Triton --------------------------------------------- http://www.kb.cert.org/vuls/id/568252 *** Energieversorger testet Sicherheit – und fällt durch *** --------------------------------------------- In „Stirb langsam 4.0“ fahren Cyber-Gauner übers Internet die komplette Stromversorgung im Osten der USA herunter. Ein unrealistisches Szenario? Nicht ganz ... --------------------------------------------- http://www.heise.de/newsticker/meldung/Energieversorger-testet-Sicherheit-u… *** The Muddy Waters of XP End-of-Life and Public Disclosures *** --------------------------------------------- Security researchers who have privately disclosed Windows XP vulnerabilities to Microsoft may never see patches for their bugs with XPs end of life date at hand. Will there be a rash of public disclosures? --------------------------------------------- http://threatpost.com/the-muddy-waters-of-xp-end-of-life-and-public-disclos… *** 2013 wurden Daten von über 500 Millionen Nutzern geklaut *** --------------------------------------------- Daten von mehr als einer halben Milliarde Internet-Nutzer sind im vergangenen Jahr nach Berechnung von IT-Sicherheitsexperten bei Online-Angriffen gestohlen worden. --------------------------------------------- http://futurezone.at/digital-life/2013-wurden-daten-von-ueber-500-millionen… *** Hintergrund: ct-Fritzbox-Test spürt verborgene Geräte auf *** --------------------------------------------- Manche Nutzer des Fritzbox-Tests erhalten unerwartete Ergebnisse. Nicht selten sind WLAN-APs, Repeater oder andere AVM-Geräte die Ursache. Darüber hinaus gibt es auch einige Fehlerquellen, die einen händischen Test erforderlich machen können. --------------------------------------------- http://www.heise.de/newsticker/meldung/Hintergrund-c-t-Fritzbox-Test-spuert… *** The 2013 Internet Security Threat Report: Year of the Mega Data Breach *** --------------------------------------------- Once again, it’s time to reveal the latest findings from our Internet Security Threat Report (ISTR), which looks at the current state of the threat landscape, based on our research and analysis from the past year. Key trends from this year’s report include the large increase in data breaches and targeted attacks, the evolution of mobile malware and ransomware, and the potential threat posed by the Internet of Things. --------------------------------------------- http://www.symantec.com/connect/blogs/2013-internet-security-threat-report-… *** Cacti Multiple Vulnerabilities *** --------------------------------------------- Some vulnerabilities have been reported in Cacti, which can be exploited by malicious users to conduct script insertion and SQL injection attacks and compromise a vulnerable system. * CVE-2014-2326 * CVE-2014-2708 * CVE-2014-2709 --------------------------------------------- https://secunia.com/advisories/57647 *** Open-Xchange Email Autoconfiguration Information Disclosure Weakness *** --------------------------------------------- A weakness has been reported in Open-Xchange, which can be exploited by malicious people to disclose certain sensitive information. The weakness is caused due to the application communicating certain information via parameters of a GET request when using the email autoconfiguration, which can be exploited to disclose the account password. --------------------------------------------- https://secunia.com/advisories/57654 *** VU#345337: J2k-Codec contains multiple exploitable vulnerabilities *** --------------------------------------------- Vulnerability Note VU#345337 J2k-Codec contains multiple exploitable vulnerabilities Original Release date: 08 Apr 2014 | Last revised: 08 Apr 2014 Overview J2k-Codec contains multiple exploitable vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description J2k-Codec is a JPEG 2000 decoding library for Windows. J2k-Codec contains multiple exploitable exploitable vulnerabilities that can lead to arbitrary code execution. --------------------------------------------- http://www.kb.cert.org/vuls/id/345337

1 0

Tageszusammenfassung - Montag 7-04-2014
by Daily end-of-shift report 07 Apr '14

07 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 04-04-2014 18:00 − Montag 07-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** BSI-Webseite mit Prüfung ob die eigene Emailadresse im aktuellen Fall betroffen ist *** --------------------------------------------- Im Rahmen eines laufenden Ermittlungsverfahrens der Staatsanwaltschaft Verden (Aller) ist erneut ein Fall von großflächigem Identitätsdiebstahl aufgedeckt worden. ... Diese Webseite bietet eine Überprüfungsmöglichkeit, ob Sie von dem Identitätsdiebstahl betroffen sind. --------------------------------------------- https://www.sicherheitstest.bsi.de/ *** VirusShield: Nur ein Logo - sonst nichts *** --------------------------------------------- Die App VirusShield für Android erreichte innerhalb kürzester Zeit enorme Verkaufszahlen. Jedoch: Die App tut überhaupt nichts. (Google, Virenscanner) --------------------------------------------- http://www.golem.de/news/virusshield-nur-ein-logo-sonst-nichts-1404-105677-… *** Hash-Funktion: Entwurf für SHA-3-Standard liegt vor *** --------------------------------------------- Die US-Behörde Nist hat einen Entwurf für die Standardisierung der Hashfunktion SHA-3 vorgelegt. Drei Monate lang besteht nun die Möglichkeit, diesen zu kommentieren. (Technologie, Verschlüsselung) --------------------------------------------- http://www.golem.de/news/hash-funktion-entwurf-fuer-sha-3-standard-liegt-vo… *** Those strange e-mails with URLs in them can lead to Android malware, (Sat, Apr 5th) *** --------------------------------------------- Youve probably gotten a few of these e-mails over the last few months (I saw the first one of this latest kind in early Feb), we got one to the handlers list earlier this week which prompted this diary. They seem pretty innocuous, they have little or no text and a URL like the one shown below. Note: the above link doesnt lead to the malware anymore, so I didnt obscure it. Most seem to be sent from Yahoo! (or Yahoo!-related e-mail addresses), so they may be coming from addresses that were --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17909&rss *** XMPP-Layer Compression Uncontrolled Resource Consumption *** --------------------------------------------- Topic: XMPP-Layer Compression Uncontrolled Resource Consumption Risk: Medium Text:Uncontrolled Resource Consumption with XMPP-Layer Compression Original Release Date: 2014-04-04 Last Updated: 2014-04-04 ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040034 *** Fake Voting Campaign Steals Facebook Users’ Identities *** --------------------------------------------- Contributor: Parag SawantPhishers continuously come up with various plans to enhance their chances of harvesting users’ sensitive information. Symantec recently observed a phishing campaign where data is collected through a fake voting site which asks users to decide whether boys or girls are greater.read more --------------------------------------------- http://www.symantec.com/connect/blogs/fake-voting-campaign-steals-facebook-… *** Advice for Enterprises in 2014: Protect Your Core Data *** --------------------------------------------- Some companies may think – “if it can happen to a spy agency, there’s nothing we could do. We should just give up and not protect our data anymore.” Others may say: “let’s build a bigger wall around our data.” Both approaches are incorrect. Obviously, you have to protect your data. However, neither can enterprises just try and protect everything with the same rigor. ... What an enterprise needs to focus on is what really needs to be protected. --------------------------------------------- http://blog.trendmicro.com/trendlabs-security-intelligence/advice-for-enter… *** Microsoft spells out new rules for exiling .EXEs *** --------------------------------------------- Microsoft has updated the methodology it uses to define adware, a move designed to make it clearer just what the company considers worthy for removal by its malware tools. ... The kinds of “unwanted behaviours” that Redmond is looking for will be familiar to anyone whos been burned by mistakenly clicking on the link, with lack of user choice or control topping the list. --------------------------------------------- http://www.theregister.co.uk/2014/04/07/microsoft_puts_adware_in_the_crossh… *** Netgear schließt Hintertür in Modemrouter DGN1000 *** --------------------------------------------- Die Firma hat ein Firmware-Update veröffentlicht, das die Hintertür auf Port 32764 des DSL-Modemrouters schließen soll. Über die Lücke können Angreifer die Passwörter der Geräte abgreifen. --------------------------------------------- http://www.heise.de/security/meldung/Netgear-schliesst-Hintertuer-in-Modemr… *** RSA Data Loss Prevention Security Bypass Security Issue *** --------------------------------------------- A security issue has been reported in RSA Data Loss Prevent, which can be exploited by malicious users to bypass certain security restrictions. The security issue is caused due an error within the session management and can be exploited to access otherwise restricted content. --------------------------------------------- https://secunia.com/advisories/57464

1 0

Tageszusammenfassung - Freitag 4-04-2014
by Daily end-of-shift report 04 Apr '14

04 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 03-04-2014 18:00 − Freitag 04-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** SMBEXEC Rapid Post Exploitation Tool *** --------------------------------------------- Smbexec is a tool that you can use for penetration testing domain controllers, the program allows to run post exploitation for domain accounts and expand the access to targeted network. this makes pentester have a full access without any privilege requirement. --------------------------------------------- http://www.sectechno.com/2014/03/30/smbexec-rapid-post-exploitation-tool/ *** IBM Security Bulletin: Fixes available for Cross Site Scripting vulnerabilities in IBM WebSphere Portal (CVE-2014-0828 and CVE-2014-0901) *** --------------------------------------------- Fixes are available for Cross Site Scripting vulnerabilities in IBM WebSphere Portal. CVE(s): CVE-2014-0828 and CVE-2014-0901 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** IBM Security Bulletin: WebSphere Partner Gateway Advanced/Enterprise is affected by vulnerabilities that exist in the IBM SDK for Java (CVE-2014-0411) *** --------------------------------------------- WebSphere Partner Gateway Advanced/Enterprise uses IBM SDK for Java that is based on Oracle JDK . Oracle has released January 2014 critical patch updates (CPU) which contain security vulnerability fixes. The IBM SDK for Java has been updated to incorporate these fixes. CVE(s): CVE-2014-0411 --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** OTRS Help Desk clickjacking *** --------------------------------------------- OTRS Help Desk could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to hijack the victim's click actions or launch other client-side browser attacks. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92233 *** iOS 7.1 bug enables iCloud account deletion, disabling Find My iPhone, without password *** --------------------------------------------- A bug demonstrated by a YouTube user on Wednesday may enable a thief to delete an iCloud account, disable Find My iPhone, and ultimately restore the device, without the need of a password. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/kToL7uqo4FE/ *** Your files held hostage by CryptoDefense? Dont pay up! The decryption key is on your hard drive *** --------------------------------------------- Blunder discovered in latest ransomware infecting PCs A basic rookie programming error has crippled an otherwise advanced piece of ransomware dubbed CryptoDefense – but the crap coders are still pulling in more than $30,000 a month from unwary punters.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/03/cryptodefen… *** Advance Notification Service for the April 2014 Security Bulletin Release *** --------------------------------------------- Today we provide advance notification for the release of four bulletins, two rated Critical and two rated Important in severity. These updates address issues in Microsoft Windows, Office and Internet Explorer. The update provided through MS14-017 fully addresses the Microsoft Word issue first described in Security Advisory 2953095. This advisory also included a Fix it to disable opening rich-text format (RTF) files within Microsoft Word. Once the security update is applied, you should disable --------------------------------------------- http://blogs.technet.com/b/msrc/archive/2014/04/03/advance-notification-ser… *** Schneider Electric OPC Factory Server Buffer Overflow *** --------------------------------------------- OVERVIEW Researcher Wei Gao, formerly of IXIA, has identified a buffer overflow vulnerability in the Schneider Electric OPC Factory Server (OFS) application. Schneider Electric has produced a patch that mitigates this vulnerability. Wei Gao has tested the patch to validate that it resolves the vulnerability.This vulnerability could be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-093-01 *** Adware: A new approach *** --------------------------------------------- Here at the Microsoft Malware Protection Center (MMPC) we understand advertising is part of the modern computing experience. However, we want to give our customers choice and control regarding what happens with their computers. To that end we have recently undergone some changes to both the criteria we use to classify a program as adware and how we remediate it when we find it. This blog will help explain the new criteria and how it affects some programs. Our updated objective criteria --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/04/03/adware-a-new-approach.as… *** Zeus malware found with valid digital certificate *** --------------------------------------------- A recently discovered variant of the Zeus banking Trojan was found to use a legitimate digital signature to avoid detection from Web browsers and anti-virus systems.Security vendor Comodo reported Thursday finding the variant 200 times while monitoring and analyzing data from users of its Internet security system. The variant includes the digital signature, a rootkit and a data-stealing malware component."Malware with a valid digital signature is an extremely dangerous situation," the --------------------------------------------- http://www.csoonline.com/article/2140021/data-protection/zeus-malware-found… *** Linux-PAM "pam_timestamp" Module Two Directory Traversal Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in Linux-PAM, which can be exploited by malicious people to bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/57317 *** E-Mail-Konten gehackt: BSI will Millionen betroffene Nutzer informieren *** --------------------------------------------- Behörden und Provider wollen die Nutzer über den Hack von E-Mail-Konten informieren. Wie und wann die Aktion starten soll, steht aber noch nicht fest. (Spam, Computer) --------------------------------------------- http://www.golem.de/news/e-mail-konten-gehackt-bsi-will-millionen-betroffen… *** TLS-Bibliotheken: Fehler finden mit fehlerhaften Zertifikaten *** --------------------------------------------- Mit Hilfe von fehlerhaften X.509-Zertifikaten haben Forscher zahlreiche zum Teil sicherheitskritische Bugs in TLS-Bibliotheken gefunden. Erneut wurde dabei eine gravierende Sicherheitslücke in GnuTLS entdeckt. (Browser, Technologie) --------------------------------------------- http://www.golem.de/news/tls-bibliotheken-fehler-finden-mit-fehlerhaften-ze… *** Cisco Emergency Responder - Multiple vulnerabilities *** --------------------------------------------- Cross-Site Scripting - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… Cross-Site Request Forgery - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… Open Redirect - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… Dynamic Content Modification - http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** PHP 5.4.27 released, (Fri, Apr 4th) *** --------------------------------------------- A new version of PHP has been released. The announcement comments: "The PHP development team announces the immediate availability of PHP 5.4.27. 6 bugs were fixed in this release, including CVE-2013-7345 in fileinfo module." --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17901&rss *** April 8th: Not Just About XP *** --------------------------------------------- April 8th will soon be upon us! And that means…Countdown Clocks…the end of extended support for Windows XP. But not just XP. Office 2003 is also reaching its life.And thats especially important to know because theres currently an Office vulnerability in the wild.Microsoft released its Security Bulletin Advance Notification yesterday: And the good news is: a patch for the Word vulnerability appears to be in the pipeline. --------------------------------------------- http://www.f-secure.com/weblog/archives/00002690.html *** Dealing with Disaster - A Short Malware Incident Response, (Fri, Apr 4th) *** --------------------------------------------- I had a client call me recently with a full on service outage - his servers werent reachable, his VOIP phones were giving him more static than voice, and his Exchange server wasnt sending or receiving mail - pretty much everything was offline. I VPNd in (I was not onsite) and started with the firewall, because things were bad enough thats all I could initially get to from a VPN session. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17905&rss *** Cisco IOS XR Software ICMPv6 Redirect Vulnerability *** --------------------------------------------- A vulnerability in Internet Control Message Protocol version 6 (ICMPv6) processing of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to affect IPv4 and IPv6 traffic passing through an affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Researchers Uncover Interesting Browser-Based Botnet *** --------------------------------------------- Security researchers discovered an odd DDoS attack against several sites recently that relied on a persistent cross-site scripting vulnerability in a major video Web site and hijacked users’ browsers in order to flood the site with traffic. The attack on the unnamed site involved the use of injected Javascript on the site which would execute in […] --------------------------------------------- http://threatpost.com/researchers-uncover-interesting-browser-based-botnet/…

1 0

Tageszusammenfassung - Donnerstag 3-04-2014
by Daily end-of-shift report 03 Apr '14

03 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 02-04-2014 18:00 − Donnerstag 03-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Researchers Divulge 30 Oracle Java Cloud Service Bugs *** --------------------------------------------- Upset with the vulnerability handling process at Oracle, researchers yesterday disclosed over two dozen issues with the company’s Java Cloud Service platform. --------------------------------------------- http://threatpost.com/researchers-divulge-30-oracle-java-cloud-service-bugs… *** Ad Violations: Why Search Engines Won’t Display Your Site If it’s Infected With Malware *** --------------------------------------------- As your site’s webmaster, have you ever seen an e-mail from Google like this: Hello, We wanted to alert you that one of your sites violates our advertising policies. Therefore, we won’t be able to run any of your ads that link to that site, and any new ads pointing to that site will alsoRead More --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/kz7JGX2ydIU/ad-violations-why… *** IBM Lotus Web Content Managemen cross-site scripting *** --------------------------------------------- IBM Lotus Web Content Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/90566 *** Watching the watchers, (Thu, Apr 3rd) *** --------------------------------------------- A lot of companies today have various IDS and IPS devices implemented in their internal network (especially if you must be compliant with PCI DSS, for example). So these devices get implemented to monitor various traffic at various interfaces/perimeters in a company, but the question I got asked is how can we be sure that the IDS/IPS is doing its job? Obviously, some simple monitoring should be in place – this typically consists of pinging the device or collecting various counters such --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17895&rss *** Macro-Enabled Files Used as Infection Vectors (Again) *** --------------------------------------------- Macro-based attacks were popular in the early 2000s, but they gained much notoriety with the much publicized coverage of the Melissa virus. However, macro-based attacks soon began to drop off the radar. One major reason for this would be the security measures implemented by Microsoft to address malicious macro files. Another probable reason would also […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroMacro-Enabled Files Used as Infection Vectors (Again) --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/1X49GtDdVuU/ *** New Check_MK stable release 1.2.4p1 *** --------------------------------------------- The most important changes are security patches for two CVEs (CVE-2014-2330 and CVE-2014-2331) which have been published on 2014-03-24 and 2014-03-28 on the bugtraq mailinglist. The mail from 2014-03-24 contained wrong information on the not-fixed issues, which had been corrected with the mail from 2014-03-28. All of the reported security related issues are fixed with this release. --------------------------------------------- http://lists.mathias-kettner.de/pipermail/checkmk-announce/2014-April/00008… *** A Series of Introductory Malware Analysis Webcasts *** --------------------------------------------- If you are looking to get started with malware analysis, tune into the webcast series I created to illustrate key tools and techniques for examining malicious software. --------------------------------------------- http://blog.zeltser.com/post/80874760857/introductory-malware-analysis-webc… *** Twelve sources of global cyber attack maps *** --------------------------------------------- 1 - Cyber Warfare Real Time Map by Kaspersky 2 - Top Daily DDoS Attacks Worldwide by Google 3 - Security Tachometer by Deutche Telekom 4 - Cyberfeed Live Botnet Map by AnubisNetworks 5 - Real-time Web Monitor by Akamai 6 - IpViking Live Map by Norse 7 - Honeypots from the Honeynet Project 8 - Global Activity Maps by Arbor 9 - Global Botnet Threat Activity Map by Trend Micro 10 - DDoS Attacks by ShadowServer 11 - Internet Malicious Activity Maps by TeamCymru 12 - Globe and WorldMap by F-Secure --------------------------------------------- http://sseguranca.blogspot.com.br/2014/03/ten-sources-of-global-cyber-attac… *** SNMPCheck - Enumerate the SNMP devices *** --------------------------------------------- Like to snmpwalk, snmpcheck allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring. --------------------------------------------- http://hack-tools.blackploit.com/2014/04/snmpcheck-enumerate-snmp-devices.h… *** The Right Stuff: Staffing Your Corporate SOC *** --------------------------------------------- In my experience, passing a certification exam or getting a degree simply shows that a potential employee is a good test-taker or has the determination to plow through a degree program. Neither substitutes for the wealth of experience SOC analysts need to be good at their jobs. Don’t get me wrong. Certification programs can be an important piece of a cyber-security practitioner’s complete education. --------------------------------------------- http://www.darkreading.com/operations/careers-and-people/the-right-stuff-st… *** FortiBalancer SSH Access Security Bypass Vulnerability *** --------------------------------------------- A vulnerability has been reported in FortiBalancer, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to a configuration error related to SSH access and can be exploited to gain otherwise restricted SSH access. The vulnerability is reported in FortiBalancer 400, 1000, 2000, and 3000. --------------------------------------------- https://secunia.com/advisories/57673 *** Sicherheit: Fahnder entdecken Datensatz mit 18 Millionen Mailkonten *** --------------------------------------------- Schon wieder ist eine Datei mit Millionen gehackten Mailkonten sichergestellt worden. Alle großen deutschen E-Mail-Provider und mehrere internationale Anbieter sollen betroffen sein. (Spam, Computer) --------------------------------------------- http://www.golem.de/news/sicherheit-fahnder-entdecken-datensatz-mit-18-mill… *** Tool Estimates Incident Response Cost for Businesses *** --------------------------------------------- A new tool called CyberTab will help businesses estimate the cost of real and potential cyberattacks, and the amount a company could possibly save by investing in preventative measures and technologies. --------------------------------------------- http://threatpost.com/tool-estimates-incident-response-cost-for-businesses/… *** Bugtraq: [softScheck] Denial of Service in Microsoft Office 2007-2013 *** --------------------------------------------- softScheck has identified a Denial of Service vulnerability in Microsoft Outlook 2007-2013. A remote attacker can send a plaintext email containing an XML bomb as the message body, causing Outlook to freeze while opening the email. This forces the user to terminate the Outlook process. In the default Outlook configuration, in which email contents are displayed in a reading pane in the main window, the impact is more severe: Outlook will freeze while starting and will not be able to start anymore, since it tries to open and display the email during startup. To resolve the issue, Outlook needs to be started in safe mode and the email needs to be deleted. --------------------------------------------- http://www.securityfocus.com/archive/1/531722 *** DFRWS EU 2014 Annual Conference *** --------------------------------------------- DFRWS has a long history of being the foremost digital forensics research venue and has decided to hold a sister conference to bring the same opportunities to Europe. The first annual DFRWS EU conference will be held from May 7 to 9, 2014 in Amsterdam, NL. --------------------------------------------- http://www.dfrws.org/2014eu/ *** Cisco IOS Software IKE Main Mode Vulnerability *** --------------------------------------------- A vulnerability in the Internet Key Exchange (IKE) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to delete established security associations on an affected device. The vulnerability is due to improper handling of rogue IKE Main Mode packets. An attacker could exploit this vulnerability by sending a crafted IKE Main Mode packet to an affected device. An exploit could allow the attacker to cause valid, established IKE security associations on an affected device to drop. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Mittwoch 2-04-2014
by Daily end-of-shift report 02 Apr '14

02 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 01-04-2014 18:00 − Mittwoch 02-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Whitehat Securitys Aviator browser is coming to Windows *** --------------------------------------------- I have had the privilege of knowing Jeremiah Grossman, the iCEO of Whitehat Security, for many years now. He has spoken on many occasions about web security and specifically web browser security or rather, the lack thereof. I recall at one point asking him, "OK, what do you use as a web browser?" He paused, smiled and said, "My own". That Cheshire cat response played over again in my head when Whitehat Security released their browser offering called Aviator. This is a --------------------------------------------- http://www.csoonline.com/article/2136258/application-security/whitehat-secu… *** 110,000 Wordpress Databases Exposed *** --------------------------------------------- For years now Ive been writing my various blog posts and I have used many different kinds of CMS platforms right back to posting using VI back in the 90s. My favourite platform that Ive used to create content has been Wordpress by far. I can almost here the security folks cringe. Yes, it is a massive headache to lockdown. But, I fight on as the user experience makes the pain worthwhile. OK, maybe worthwhile isnt the correct word. This is a platform that has had a long history of security --------------------------------------------- http://www.csoonline.com/article/2136246/application-security/110-000-wordp… *** "ct wissen Windows": So meistern Sie das Support-Ende von Windows XP *** --------------------------------------------- Pünktlich zum Support-Ende von Windows XP veröffentlichen wir mit dem "ct wissen Windows" ein Handbuch für alle Betroffenen. Es erläutert nicht nur, was das Support-Ende genau bedeutet, sondern liefert vor allem Praxis-Anleitungen. --------------------------------------------- http://www.heise.de/newsticker/meldung/c-t-wissen-Windows-So-meistern-Sie-d… *** Call for packets udp/137 broadcast, (Tue, Apr 1st) *** --------------------------------------------- One of our readers have reported that he has seen a broadcast traffic to udp/137 . He suspected that the traffic cause a denial of service to some of his systems. If you have seen such traffic and you would like to share some packets we would appreciate that. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17887&rss *** AlienVault Open Source SIM date_from SQL injection *** --------------------------------------------- AlienVault Open Source SIM (OSSIM) is vulnerable to SQL injection. A remote authenticated attacker could send specially-crafted SQL statements to the ISO27001Bar1.php script using the date_from parameter, which could allow the attacker to view, add, modify or delete information in the back-end database. --------------------------------------------- http://xforce.iss.net/xforce/xfdb/92172 *** Password bug let me see shoppers credit cards in eBay ProStores, claims infosec bod *** --------------------------------------------- Online bazaar fixes store account hijack flaw, were told A serious vulnerability that potentially allowed shoplifters to empty eBay ProStores shops and swipe customer credit cards has been fixed according to the security researcher who says he found the hole. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/01/ebay_stores… *** Fake Google apps removed from Window Phone Store by Microsoft *** --------------------------------------------- Five phony Google apps appeared in the app store, each with a $1.99 price tag, before being removed by the company. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/fXb73Il-oZg/ *** Hack of Boxee.tv exposes password data, messages for 158,000 users *** --------------------------------------------- Huge file circulating online contains e-mail addresses, full message histories. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/B676MRE54C8/ *** IT Analyst Highlights 6 IT Security 'Worst Practices' *** --------------------------------------------- In a new Network World article, prominent IT analyst and researcher Linda Musthaler is highlighting 6 'worst practices' that companies commit on their way to undermining, destabilizing, or just plain wrecking their IT security efforts: Failing to stay up-to-date with the latest technologies and techniques. Neglecting to take a comprehensive network security approach that also [...]The post IT Analyst Highlights 6 IT Security 'Worst Practices' appeared first on Seculert --------------------------------------------- http://www.seculert.com/blog/2014/04/it-analyst-highlights-6-it-security-wo… *** HP integrated Lights Out (iLO) IPMI Protocol Flaw Lets Remote Users Obtain Hashed Passwords *** --------------------------------------------- A vulnerability was reported in HP integrated Lights Out (iLO). A remote user can gain obtain hashed passwords. A remote user can invoke the IPMI 2.0 protocol to obtain the target user's salted SHA1 or MD5 hash. The vulnerability resides in the protocol design and is mandated by the IPMI 2.0 specification. --------------------------------------------- http://www.securitytracker.com/id/1029981 *** Extended Random: The PHANTOM NSA-RSA backdoor that never was *** --------------------------------------------- Profs paper was all about attacking Dual EC DRBG, not a Snowden-esque spy bombshell Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSAs encryption software BSafe. But it appears to be more sound and fury than substance. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/04/02/extended_ra… *** Safari für Mac OS X: Update schließt Sicherheitslücken und bringt einige Neuerungen *** --------------------------------------------- Der Apple-Webbrowser ist für OS X Mavericks und OS X Mountain Lion in neuen Versionen verfügbar. Neben Patches gegen Sicherheitslücken gibt es Bugfixes und Änderungen an der Benachrichtigungsfunktion. --------------------------------------------- http://www.heise.de/security/meldung/Safari-fuer-Mac-OS-X-Update-schliesst-… *** [2014-04-02] Multiple vulnerabilities in Rhythm File Manager *** --------------------------------------------- An attacker being able to connect to the Android device (e.g. if he uses the same Wireless network), can access arbitrary local files from the device while the File Manager app is being used to stream media. Moreover, a malicious Android app or an attacker being able to connect to the Android device may issue system commands as the user "root" if "root browsing" is enabled. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Analysis: Financial cyber threats in 2013. Part 1: phishing *** --------------------------------------------- It has been quite a few years since cybercriminals started actively stealing money from user accounts at online stores, e-payment systems and online banking systems. --------------------------------------------- http://www.securelist.com/en/analysis/204792330/Financial_cyber_threats_in_… *** Bugtraq: [IMF 2014] Call for Participation *** --------------------------------------------- See the program at: http://www.imf-conference.org/imf2014/program.html The conference will take place from Monday, May 12th through Wednesday, May 14th in Münster, Germany. Registration details: http://www.imf-conference.org/imf2014/registration.html --------------------------------------------- http://www.securityfocus.com/archive/1/531707 *** VU#917700: Huawei Echo Life HG8247 optical router XSS vulnerability *** --------------------------------------------- Vulnerability Note VU#917700 Huawei Echo Life HG8247 optical router XSS vulnerability Original Release date: 02 Apr 2014 | Last revised: 02 Apr 2014 Overview Huawei Echo Life HG8247 optical router contains a stored cross-site scripting (XSS) vulnerability Description It has been reported that Huawei Echo Life HG8247 optical routers running software version V1R006C00S120 or earlier contain a stored cross-site scripting (XSS) vulnerability. An unauthenticated attacker can perform a stored --------------------------------------------- http://www.kb.cert.org/vuls/id/917700

1 0

Tageszusammenfassung - Dienstag 1-04-2014
by Daily end-of-shift report 01 Apr '14

01 Apr '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 31-03-2014 18:00 − Dienstag 01-04-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Report: RSA endowed crypto product with second NSA-influenced code *** --------------------------------------------- Extended Random like "dousing yourself with gasoline," professor warns. --------------------------------------------- http://feeds.arstechnica.com/~r/arstechnica/security/~3/TbwAXYKTq34/ *** Old School Code Injection in an ATM .dll *** --------------------------------------------- During our last ATM review engagement, we found some interesting executable files that were run by Windows Services under Local System account. These binaries had weak file permissions that allowed us to modify them using the standard ATM user account. As a proof of concept, I decided to inject some code into one of them to take full control of the system. This post is about the technique I used to inject the code into a .dll used by one of the Windows Services. I’m sure there are many --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/CRAp6jZhvVE/injecting-… *** A Look at the GnuTLS X.509 Verification Code Flaw *** --------------------------------------------- ... it was found that the GnuTLS X.509 certificate verification code fails to properly handle certain error conditions that may occur during the certificate verification process. While verifying the certificate, GnuTLS would report it as successful verification of the certificate, even though verification should have resulted in a failure. This means that invalid certificates may be accepted as valid, --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/iSFhF7R9kFI/ *** Creating an intelligent “sandbox” for coordinated malware eradication *** --------------------------------------------- Hello from China where I am presenting on coordinated malware eradication at the 2014 PC Security Labs Information Security Conference. Coordinated malware eradication was also the topic of my last blog. I said the antimalware ecosystem must begin to work with new types of partners if we are going to move from the current state of uncoordinated malware disruption, to a state of coordinated malware eradication. --------------------------------------------- http://blogs.technet.com/b/mmpc/archive/2014/03/31/creating-an-intelligent-… *** Its not the breach that kills you, its the cover-up *** --------------------------------------------- Its how you handle yourself during and after a breach that will determine just how detrimental the breach actually is for your organization. --------------------------------------------- http://feedproxy.google.com/~r/SCMagazineHome/~3/Mi55LWhfA9c/ *** Managing Windows XP’s Risks in a Post-Support World *** --------------------------------------------- There are now less than two weeks left until Microsoft terminates support for the incredibly long-lived Windows XP. Rarely has a tech product lasted as long as XP has – from XP’s launch on October 25, 2001 to its last Patch Tuesday on April 8, 2014 a total of 12 years, 5 months, and two […]Post from: Trendlabs Security Intelligence Blog - by Trend MicroManaging Windows XP’s Risks in a Post-Support World --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/fSwrdK2qOeg/ *** EMC Cloud Tiering Appliance Request Validation Flaw Lets Remote Users View Files *** --------------------------------------------- A vulnerability was reported in EMC Cloud Tiering Appliance. A remote user can view files on the target system. The '/api/login' script does not properly validate user-supplied input. A remote user can supply a specially crafted XML External Entity (XXE) link to view files on target system with root privileges. --------------------------------------------- http://www.securitytracker.com/id/1029979 *** Grazer Linuxtage 2014: "Sicherheit im Netz" mit freier Software *** --------------------------------------------- Alternative Software-Szene lädt an der FH-Joanneum zu Workshops und Vorträgen --------------------------------------------- http://derstandard.at/1395363812795 *** Horde webmail - Open Redirect Vulnerability *** --------------------------------------------- An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014040004 *** ModSecurity HTTP Requests Chunked Encoding Security Bypass Vulnerability *** --------------------------------------------- Martin Holst Swende has reported a vulnerability in ModSecurity, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an error in the "modsecurity_tx_init()" function (apache2/modsecurity.c), which can be exploited to bypass the HTTP request body processing via a specially crafted request using chunked encoding. --------------------------------------------- https://secunia.com/advisories/57444 *** ct-Special "Umstieg auf Linux" am Kiosk erhältlich *** --------------------------------------------- Umsteigen auf Linux – warum nicht? Linux bietet eine Menge Vorteile – nicht nur für XP-Anwender, die demnächst keine Sicherheits-Fixes von Microsoft mehr erhalten. Das neue Sonderheft der ct-Redaktion hilft beim sanften Umstieg von Windows auf Linux. --------------------------------------------- http://www.heise.de/newsticker/meldung/c-t-Special-Umstieg-auf-Linux-am-Kio… *** IBM WebSphere Portal Two Cross-Site Scripting Vulnerabilities *** --------------------------------------------- Two vulnerabilities have been reported in IBM WebSphere Portal, which can be exploited by malicious people to conduct cross-site scripting attacks. --------------------------------------------- https://secunia.com/advisories/57592 *** cPanel Multiple Vulnerabilities *** --------------------------------------------- Two weaknesses, a security issue, and multiple vulnerabilities have been reported in cPanel, which can be exploited by malicious, local users to disclose potentially sensitive information and manipulate certain data, by malicious users to disclose potentially sensitive information, conduct script insertion attacks, manipulate certain data, and compromise a vulnerable system and by malicious people to conduct spoofing and cross-site scripting attacks and bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/57576 *** VU#893726: Zyxel P660 series modem/router denial of service vulnerability *** --------------------------------------------- Zyxel P660 series modem/router contains a denial of service vulnerability when parsing a high volume of SYN packets on the web management interface. --------------------------------------------- http://www.kb.cert.org/vuls/id/893726 *** Cisco Security Manager HTTP Header Redirection Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Security Manager could allow an unauthenticated, remote attacker to inject a crafted HTTP header which will cause a web page redirection to a possible malicious website. The vulnerability is due to insufficient validation user input of user input before using it as an HTTP header value. An attacker could exploit this vulnerability by convincing a user to access a crafted URL. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014… *** Cisco WSA HTTP Header Injection Vulnerability *** --------------------------------------------- A vulnerability in the web framework of Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to inject a crafted HTTP header that could cause a web page redirection to a possible malicious website. The vulnerability is due to insufficient validation of user input before using it as an HTTP header value. An attacker could exploit this vulnerability by persuading a user to access a crafted URL. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Montag 31-03-2014
by Daily end-of-shift report 31 Mar '14

31 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Freitag 28-03-2014 18:00 − Montag 31-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Siemens ROS Improper Input Validation *** --------------------------------------------- Researcher Aivar Liimets from Martem Telecontrol Systems reported an improper input validation vulnerability in the Siemens Rugged Operating System (ROS), which could cause a denial-of-service (DoS) condition against the device's management web interface. Siemens coordinated the vulnerability details with NCCIC/ICS-CERT and has provided information for mitigation of the vulnerability.This vulnerability can be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-087-01 *** WiFi Bug Plagues Philips Internet-Enabled TVs *** --------------------------------------------- Some versions of Philips internet-enabled SmartTVs are vulnerable to cookie theft and an array of other tricks that abuse a lax WiFi setting. --------------------------------------------- http://threatpost.com/wifi-bug-plagues-philips-internet-enabled-tvs/105119 *** VulDB: Adobe Reader 11.0.06 Sandbox erweiterte Rechte *** --------------------------------------------- Die Schwachstelle wurde am 28.03.2014 von VUPEN via Pwn2Own 2014 publiziert. Die Identifikation der Schwachstelle wird seit dem 20.12.2013 mit CVE-2014-0512 vorgenommen. Sie ist schwierig auszunutzen. Der Angriff kann über das Netzwerk erfolgen. Zur Ausnutzung ist keine spezifische Authentisierung erforderlich. Es sind zwar keine technische Details, jedoch ein privater Exploit zur Schwachstelle bekannt. --------------------------------------------- http://www.scip.ch/?vuldb.12723 *** Adobe Flash Player Bugs Let Remote Users Execute Arbitrary Code *** --------------------------------------------- A remote user can create specially crafted content that, when loaded by the target user on a Windows-based system, will trigger a use-after-free and execute arbitrary code on the target system [CVE-2014-0506]. The code will run with the privileges of the target user. VUPEN reported this vulnerability (via Pwn2Own at CanSecWest 2014). A remote user can create specially crafted content that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target system [CVE-2014-0510]. The code will run with the privileges of the target user. Zeguang Zhao and Liang Chen reported this vulnerability (via Pwn2Own at CanSecWest 2014). --------------------------------------------- http://www.securitytracker.com/id/1029969 --------------------------------------------- (Notiz: soweit wir bisher herausfinden konnten, sind noch keine Exploits dazu "in the wild" aufgetaucht.) --------------------------------------------- *** nginx 1.4.6/1.5.11 Heap-based buffer overflow in the SPDY *** --------------------------------------------- A bug in the experimental SPDY implementation in nginx was found, which might allow an attacker to cause a heap memory buffer overflow in a worker process by using a specially crafted request, potentially resulting in arbitrary code execution (CVE-2014-0133). The problem affects nginx 1.3.15 - 1.5.11, compiled with the ngx_http_spdy_module module (which is not compiled by default) and without --with-debug configure option, if the "spdy" option of the "listen" directive is used in a configuration file. The problem is fixed in nginx 1.5.12, 1.4.7. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030250 *** Chip.de-Forum offenbar gehackt: 2,5 Millionen Nutzerdaten betroffen *** --------------------------------------------- Forumsmitglieder wurden per Mail über Hack informiert - Passwörter wurden außerdem unzureichend geschützt --------------------------------------------- http://derstandard.at/1395363600546 *** Who's Behind the "BLS Weblearn" Credit Card Scam? *** --------------------------------------------- A new rash of credit and debit card scams involving bogus sub-$15 charges and attributed to a company called "BLS Weblearn" is part of a prolific international scheme designed to fleece unwary consumers. This post delves deeper into the history and identity of the credit card processing network that has been enabling this type of activity for years. --------------------------------------------- http://feedproxy.google.com/~r/KrebsOnSecurity/~3/MxEDIVQPC94/ *** More Device Malware: This is why your DVR attacked my Synology Disk Station, (Mon, Mar 31st) *** --------------------------------------------- Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras [1] ). Today, we were able to recover the malware responsible. You can download the malware here https://isc.sans.edu/diaryimages/hikvision.zip (password: infected) . The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover / analyze from the --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17879&rss *** Crack team of cyber warriors arrives to SAVE UK from grid-crippling HACK ATTACKS *** --------------------------------------------- National CERT goes live today The UK is finally getting a national Computer Emergency Response Team (CERT), with the delayed launch of the organisation taking place today. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/31/cert_uk_lau… *** Cisco Security Response Team Opens Its Toolbox *** --------------------------------------------- With a variety of security tools, CSIRT is able to detect and analyze malicious traffic throughout the network, including virus propagation, targeted attacks, and commonplace exploits. Because CSIRT continually identifies new security threats, the team needs some historical look-back at what occurred on the network. They also need a solution that can dissect the finer details of security incidents while facing the ever-present restrictions with data storage. --------------------------------------------- https://blogs.cisco.com/security/cisco-security-response-team-opens-its-too…

1 0

Tageszusammenfassung - Freitag 28-03-2014
by Daily end-of-shift report 28 Mar '14

28 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Donnerstag 27-03-2014 18:00 − Freitag 28-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** New PGP keys *** --------------------------------------------- At CERT.at we had to phase out some old 1024 bit DSA keys as well as create new master-signing keys. This turned out to be a major effort. Key roll-overs are never easy.In order to easy the key roll-over pains, we created a key transition document. This document is signed by the old keys in order to prove authorship. ... --------------------------------------------- http://www.cert.at/services/blog/20140328155445-1086.html *** NTP Amplification, SYN Floods Drive Up DDoS Attack Volumes *** --------------------------------------------- The potency of distributed denial of service attacks has increased steadily but dramatically over the last 14 months. --------------------------------------------- http://threatpost.com/ntp-amplification-syn-floods-drive-up-ddos-attack-vol… *** Schneider Electric Serial Modbus Driver Buffer Overflow *** --------------------------------------------- OVERVIEW Carsten Eiram of Risk-Based Security has identified a stack-based buffer overflow vulnerability in Schneider Electric’s Serial Modbus Driver that affects 11 Schneider Electric products. Schneider Electric has produced patches that mitigate this vulnerability. This vulnerability can be exploited remotely. --------------------------------------------- http://ics-cert.us-cert.gov/advisories/ICSA-14-086-01 *** Apple Credential Phishing via appleidconfirm.net, (Thu, Mar 27th) *** --------------------------------------------- ISC user Craig Cox wrote in alerting us of a fairly sophisticated phishing campaign that is currently in progress. The website appleidconfirm.net has a seemingly realistic Apple login page that is being sent out by email. The site even includes JavaScript code which validates your Apple ID as an email in an attempt to obtain only valid credentials. Upon submitting what it considers valid credentials, youre redirected to the /?2 page of the site which contains another form which appears to --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17869&rss *** SonicWALL Email Security Input Validation Flaw in License Management’ and ‘Advanced Pages Permits Cross-Site Scripting Attacks *** --------------------------------------------- A vulnerability was reported in SonicWALL Email Security. A remote user can conduct cross-site scripting attacks. The 'License Management' and 'Advanced' pages do not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. --------------------------------------------- http://www.securitytracker.com/id/1029965 *** Word and Excel Files Infected Using Windows PowerShell *** --------------------------------------------- Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family, CRIGENT (also known as “Power Worm”) which brings several new techniques to the table. (We detect these files as W97M_CRIGENT.JER and X97M_CRIGENT.A.) Most significantly, instead of creating or including executable code, CRIGENT uses the Windows PowerShell --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/9hUmCpAOj9M/ *** OpenSSH 6.6 bypass SSHFP DNS RR checking by HostCertificate *** --------------------------------------------- I've been looking at handling host keys better, and tripped over this bug. Essentially, if the server offers a HostCertificate that the client doesn't accept, then the client doesn't then check for SSHFP records. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030239 *** [2014-03-28] Multiple vulnerabilities in Symantec LiveUpdate Administrator *** --------------------------------------------- Attackers are able to compromise Symantec LiveUpdate Administrator at the application and database levels because of vulnerable password reset functionality and SQL injection vulnerabilities. This enables access to credentials of update servers on the network without prior authentication. --------------------------------------------- https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2014… *** Python "os._get_masked_mode()" Race Condition Security Issue *** --------------------------------------------- A security issue has been reported in Python, which can be exploited by malicious, local users to potentially disclose or manipulate certain data. The security issue is caused due to a race condition within the "os._get_masked_mode()" function (Lib/os.py), which can be exploited to cause certain application-created files to be world-accessible. The security issue is reported in versions 3.4, 3.3, and 3.2. --------------------------------------------- https://secunia.com/advisories/57672 *** IBM Security Bulletin: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE *** --------------------------------------------- This Security Bulletin addresses the security vulnerabilities that have shipped with the IBM Java Runtime Environment (JRE) included in IBM Operational Decision Manager and IBM ILOG JRules. IBM ODM and ILOG JRules now include the most recent version of the IBM JRE which fixes the security vulnerabilities reported in Oracles Critical Patch Update releases of January 2014. CVE(s): CVE-2014-0423, CVE-2014-0416 and CVE-2014-0411 Affected product(s) and affected version(s): IBM WebSphere ILOG --------------------------------------------- https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin… *** Cisco IOS Software High Priority Queue Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the packet driver code of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a reload of the affected device, resulting in a denial of service (DoS) condition. CVE-2014-2131 --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014…

1 0

Tageszusammenfassung - Donnerstag 27-03-2014
by Daily end-of-shift report 27 Mar '14

27 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Mittwoch 26-03-2014 18:00 − Donnerstag 27-03-2014 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl *** Allied Telesis AT-RG634A ADSL router unauthenticated webshell *** --------------------------------------------- Risk: High, Allied Telesis AT-RG634A ADSL Broadband router hidden administrative unauthenticated webshell .. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030221 *** HP Multiple StoreOnce Products Unauthorised Access Security Bypass Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57601 *** Linux Kernel ath9k "ath_tx_aggr_sleep()" Race Condition Vulnerability *** --------------------------------------------- https://secunia.com/advisories/57468 *** When ZOMBIES attack: DDoS traffic triples as 20Gbps becomes the new normal *** --------------------------------------------- Junk traffic mostly floods in from botnets DDoS traffic has more than trebled since the start of 2013, according to a new study released on Thursday that fingers zombie networks as the primary source of junk traffic that can be used to flood websites. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2014/03/27/ddos_trends… *** DSA-2885-1 libyaml-libyaml-perl -- security update *** --------------------------------------------- Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. --------------------------------------------- https://www.debian.org/security/2014/dsa-2885 *** Cisco Event Response: Semiannual Cisco IOS Software Security Advisory Bundled Publication *** --------------------------------------------- Cisco released its semiannual Cisco IOS Software Security Advisory Bundled Publication on March 26, 2014. In direct response to customer feedback, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of the month in March and September of each calendar year. The publication includes 5 Security Advisories that address vulnerabilities in Cisco IOS Software and 1 Security Advisory that addresses .. --------------------------------------------- http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_mar14.html *** Malware Hijacks Android Mobile Devices to Mine Cryptocurrency *** --------------------------------------------- Several bits of malware targeting Android mobile devices hijack the smartphone or tablets resources to mine digital currency such as Litecoin or Dogecoin. --------------------------------------------- http://threatpost.com/malware-hijacks-android-mobile-devices-to-mine-crypto…

1 0

Tageszusammenfassung - Donnerstag 27-03-2014
by Daily end-of-shift report 27 Mar '14

27 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Dienstag 25-03-2014 18:00 − Mittwoch 26-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** A few updates on "The Moon" worm, (Tue, Mar 25th) *** --------------------------------------------- It has been over a month since we saw the "Moon" worm first exploiting various Linksys routers. I think it is time for a quick update to summarize some of the things we learned since then: Much of what we found so far comes thanks to the malware analysis done by Bernado Rodriges. Bernado used QEMU to run the code in a virtual environment. QEMU is as far as I know the only widely available virtualization technique that can simulate a MIPS CPU while running on an x86 host. --------------------------------------------- http://isc.sans.edu/diary.html?storyid=17855&rss *** WordPress Pingback-Funktion für DDoS-Attacken missbraucht *** --------------------------------------------- WordPress Pingback-Funktion für DDoS-Attacken missbraucht24. März 2014 In den letzten Tagen gab es zahlreiche Medienberichte zu DDoS-Angriffen durch Missbrauch der XML-RPC-Pingback-Funktion von WordPress. Einige dieser Beiträge möchte ich, zur weiterführenden Lektüre für Betroffene und Interessierte, im Folgenden auflisten. Blog Post von Daniel Cid vom Security-Dienstleister Sucuri mit Erklärungen zur Funktionsweise der Attacke. Weiters wird beschrieben, --------------------------------------------- http://www.cert.at/services/blog/20140324230619-1079.html *** Bugtraq: CVE-2013-6955 Synology DSM remote code execution *** --------------------------------------------- webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. --------------------------------------------- http://www.securityfocus.com/archive/1/531602 *** OpenSSL 1.0.0l cache side-channel attack *** --------------------------------------------- Topic: OpenSSL 1.0.0l cache side-channel attack Risk: Medium Text:The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-tim... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030197 *** Xen HVMOP_set_mem_access Input Validation Flaw Lets Local Guest Users Deny Service on the Host System *** --------------------------------------------- A local user on the guest operating system can cause denial of service conditions on the host operating system. The HVMOP_set_mem_access HVM control operations does not properly validate input size. A local administrative user on an HVM guest operating system can consume excessive CPU resources on the host operating system. On version 4.2, only 64-bit versions of the hypervisor are affected. Device model emulators (qemu-dm) are affected. --------------------------------------------- http://www.securitytracker.com/id/1029956 *** Walkthrough of a Recent Zbot Infection and associated CnC Server *** --------------------------------------------- During routine ThreatLabZ log analysis, we encountered the following malicious Zbot executable connecting back to its CnC and exfiltrating data via POST requests. --------------------------------------------- http://feedproxy.google.com/~r/zscaler/research/~3/kygTD5dMmHo/walkthrough-… *** MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data *** --------------------------------------------- rjmarvin writes: "Researchers in the MIT Computer Science and Artificial Intelligence Laboratory have developed a platform for building secure web applications and services that never decrypt or leak data. MIT researcher Raluca Ada Popa, who previously worked on the Google and SAP-adopted CryptoDB, and her team, have put a longstanding philosophy into practice: to never store unencrypted data on servers. Theyve redesigned the entire approach to securing online data by creating Mylar, which --------------------------------------------- http://rss.slashdot.org/~r/Slashdot/slashdot/~3/QIuCSrAxslY/story01.htm *** PAM timestamp internals bypass authentication *** --------------------------------------------- Topic: PAM timestamp internals bypass authentication Risk: Low Text:Hi When playing with some PAM modules for my own projects, I came across some implications of pam_timestamp (which is part ... --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030216 *** Nmap-Erfinder rebootet Full Disclosure *** --------------------------------------------- Gordon 'Fyodor' Lyon hat die überraschend geschlossene Full-Disclosure-Mailingliste wiederbelebt. Er habe viel Erfahrung mit dem Administrieren von Mailinglisten und keine Angst vor rechtlichen Drohungen, sagt der Sicherheitsexperte. --------------------------------------------- http://www.heise.de/security/meldung/Nmap-Erfinder-rebootet-Full-Disclosure… *** TYPO3 CMS 6.2 LTS is now available *** --------------------------------------------- ... TYPO3 CMS 6.2 LTS, which was released today. As the second TYPO3 release with long-term support (LTS), TYPO3 CMS 6.2 LTS will receive at least three years of support from the development team behind the open-source software. --------------------------------------------- http://typo3.org/news/article/typo3-presents-the-latest-version-of-its-free… *** Jetzt VoIP-Passwort ändern: Kriminelle nutzen erbeutete Fritzbox-Daten aus *** --------------------------------------------- Die Fritzbox-Angreifer haben anscheinend lange Zeit unbemerkt Zugangsdaten gesammelt, ohne sie zu benutzen. Für die Nutzer hat das jetzt ein übles Nachspiel, denn die meisten Passwörter funktionieren weiterhin. Der Schaden geht in die Hunderttausende. --------------------------------------------- http://www.heise.de/security/meldung/Jetzt-VoIP-Passwort-aendern-Kriminelle… *** Splunk Unspecified Cross-Site Scripting Vulnerability *** --------------------------------------------- A vulnerability has been reported in Splunk, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in versions prior to 5.0.8. --------------------------------------------- https://secunia.com/advisories/57554 *** libcURL Connection Re-use and Certificate Verification Security Issues *** --------------------------------------------- Multiple security issues have been reported in libcURL, which can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions. --------------------------------------------- https://secunia.com/advisories/57434 *** 10 rules of thumb of internet safety *** --------------------------------------------- Malicious parties on the internet try to gain access to your computer, tablet or mobile phone and to intercept personal data. Malware, phishing and spam are frequently occurring threats. These 10 rules of thumb provide a basis to protect yourself against these threats. --------------------------------------------- http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/fact… *** New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers *** --------------------------------------------- Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately. --------------------------------------------- https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metas… *** [Honeypot Alert] JCE Joomla Extension Attacks *** --------------------------------------------- Our web honeypots picked up some increased exploit attempts for an old Joomla Content Editor (JCE) Extension vulnerability. Although this vulnerability is a few years old, botnet owners are heavily scanning for sites that are vulnerable and attempting to exploit them. --------------------------------------------- http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/v7CME1mpcfQ/honeypot-a… *** Cisco IOS Software SSL VPN Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device. To exploit this vulnerability, affected devices must be configured to process SIP messages. Limited Cisco IOS Software and Cisco IOS XE Software releases are affected. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the implementation of the IP version 6 (IPv6) protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on an affected device that has IPv6 enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Network Address Translation Vulnerabilities *** --------------------------------------------- The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service condition. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability *** --------------------------------------------- A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition. The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… *** Web Browser Security Revisited (Part 5) *** --------------------------------------------- In Part 1 of this series, we discussed the importance of web browser security and some security-related issues that are common to all or many of the popular browsers today. In Part 2, we talked about some specific security mechanisms that are built into Internet Explorer and how they're implemented. In Part 3, we looked at how to configure IE for best security. In Part 4, we examined how to do the same with Google Chrome. This time, we'll look at ... Chrome for Business. --------------------------------------------- http://www.windowsecurity.com/articles-tutorials/Web_Application_Security/w… *** Vuln: Apple Mac OS X APPLE-SA-2014-02-25-1 Multiple Security Vulnerabilities *** --------------------------------------------- Apple Mac OS X is prone to multiple vulnerabilities. The update addresses new vulnerabilities that affect ATS, CFNetwork Cookies, CoreAnimation, CoreText, Date and Time, curl, QuickTime, QuickLook, Finder, and File Bookmark components. Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions. These issues affect OS X versions prior to 10.9.2. --------------------------------------------- http://www.securityfocus.com/bid/65777

1 0

Tageszusammenfassung - Dienstag 25-03-2014
by Daily end-of-shift report 25 Mar '14

25 Mar '14

======================= = End-of-Shift report = ======================= Timeframe: Montag 24-03-2014 18:00 − Dienstag 25-03-2014 18:00 Handler: Robert Waldner Co-Handler: n/a *** Microsoft Security Advisory (2953095): Vulnerability in Microsoft Word Could Allow Remote Code Execution - Version: 1.0 *** --------------------------------------------- Microsoft is aware of a vulnerability affecting supported versions of Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. --------------------------------------------- http://technet.microsoft.com/en-us/security/advisory/2953095 *** Security Advisory 2953095: recommendation to stay protected and for detections *** --------------------------------------------- Today, Microsoft released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010. This blog will discuss mitigations and temporary defensive strategies that will help customers to protect themselves while we are working on a security update. This blog also provides some preliminary details of the exploit code observed in the wild. Mitigations and Workaround The in the wild --------------------------------------------- http://blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095… *** [dos] - Windows Media Player 11.0.5721.5230 - Memory Corruption PoC *** --------------------------------------------- #[+] Exploit Title: Windows Media Player 11.0.5721.5230 Memory Corruption PoC #[+] Date: 22-03-2014 #[+] Category: DoS/PoC #[+] Tested on: WinXp/Windows 7 Pro --------------------------------------------- http://www.exploit-db.com/exploits/32477 *** Security Notice- Allegro RomPager Information Disclosure Vulnerability in Multiple Huawei Routers *** --------------------------------------------- Huawei has noticed an information disclosure vulnerability on the RomPager embedded web server, which is developed by Allegro. The vulnerability affects Huawei HG520c, MT880, and MT886 access routers. --------------------------------------------- http://www.huawei.com/en/security/psirt/security-bulletins/security-notices… *** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-001] vulnerabilities in cacti *** --------------------------------------------- Summary: Three vulnerabilities were found in cacti version 0.8.7g. The vulnerabilities are: 1) Stored Cross-Site Scripting (XSS) (via URL) 2) Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands 3) The use of exec-like function calls without safety checks allow arbitrary commands --------------------------------------------- http://www.securityfocus.com/archive/1/531588 *** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-003] vulnerabilities in icinga *** --------------------------------------------- Two vulnerabilities were found in icinga version 1.9.1. These vulnerabilities are: 1) several buffer overflows 2) Off-by-one memory access --------------------------------------------- http://www.securityfocus.com/archive/1/531593 *** Bugtraq: Deutsche Telekom CERT Advisory [DTC-A-20140324-002] vulnerabilities in check_mk *** --------------------------------------------- Several vulnerabilities were found in check_mk version 1.2.2p2. The vulnerabilities are: 1 - Reflected Cross-Site Scripting (XSS) 2 - Stored Cross-Site Scripting (XSS) (via URL) 3 - Stored Cross-Site Scripting (XSS) (via external data, no link necessary) 4 - Stored Cross-Site Scripting (XSS) (via external data on service port, no link necessary) 5 - Missing CSRF (Cross-Site Request Forgery) token allows execution of arbitrary commands 6 - Multiple use of exec-like function calls which allow arbitrary commands 7 - Deletion of arbitrary files --------------------------------------------- http://www.securityfocus.com/archive/1/531594 *** Net-snmp snmptrapd Community String Processing Lets Remote Users Deny Service *** --------------------------------------------- A remote user can send a specially crafted SNMP trap request with an empty community string to trigger a flaw in newSVpv() and cause the target snmptrapd service to crash. Systems with the Perl handler enabled are affected. --------------------------------------------- http://www.securitytracker.com/id/1029950 *** Trojan.PWS.OSMP.21 infects payment terminals *** --------------------------------------------- March 25, 2014 Home users aren't the only ones being targeted by today's threats - various financial organisations are receiving their own share of attention from criminals who are crafting malicious applications for ATMs and payment terminals. Doctor Web has issued a warning regarding one such Trojan, namely, Trojan.PWS.OSMP.21. This malware is infecting the terminals of a major Russian payment system. --------------------------------------------- http://news.drweb.com/show/?i=4259&lng=en&c=9 *** RSA BSAFE Micro Edition Suite (MES) 4.0.x Denial Of Service *** --------------------------------------------- Summary: RSA BSAFE MES 4.0.5 contains fix for a security vulnerability that could potentially be exploited by malicious users to deny access to the affected system. Details: This vulnerability may cause unpredictable application behavior resulting in a server crash due to faulty certificate chain processing logic. --------------------------------------------- http://cxsecurity.com/issue/WLB-2014030193 *** PHP Fileinfo libmagic AWK File Processing Denial of Service Vulnerability *** --------------------------------------------- A vulnerability has been reported in PHP, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the libmagic library bundled in the Fileinfo extension when processing certain AWK scripts, which can be exploited to cause excessive CPU resources consumption via a specially crafted AWK script file. --------------------------------------------- https://secunia.com/advisories/57564 *** OpenVZ update for kernel *** --------------------------------------------- OpenVZ has issued an update for kernel. This fixes multiple vulnerabilities, which can be exploited by malicious people to potentially compromise a vulnerable system. --------------------------------------------- https://secunia.com/advisories/57573 *** Password Hashing Competition *** --------------------------------------------- Theres a private competition to identify new password hashing schemes. Submissions are due at the end of the month. --------------------------------------------- https://www.schneier.com/blog/archives/2014/03/password_hashin.html

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily