- Daily - CERT.at

Tageszusammenfassung - 21.11.2019
by Daily end-of-shift report 21 Nov '19

21 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-11-2019 18:00 − Donnerstag 21-11-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin ∗∗∗ --------------------------------------------- Admins and owners of WordPress websites are urged to immediately apply the Jetpack 7.9.1 critical security update to prevent potential attacks that could abuse a vulnerability present since Jetpack 5.1. --------------------------------------------- https://www.bleepingcomputer.com/news/security/millions-of-sites-exposed-by… ∗∗∗ New RIPlace Bypass Evades Windows 10, AV Ransomware Protection ∗∗∗ --------------------------------------------- A new ransomware bypass technique called RIPlace requires only a few lines of code to bypass ransomware protection features built into many security products and Windows 10. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-riplace-bypass-evades-wi… ∗∗∗ Gnip Banking Trojan Shows Ongoing, Aggressive Development ∗∗∗ --------------------------------------------- The mobile malware, which incorporates Anubis source code, could evolve into a fully fledged spyware in the future. --------------------------------------------- https://threatpost.com/gnip-banking-trojan-aggressive-development/150521/ ∗∗∗ Linux Webmin Servers Under Attack by Roboto P2P Botnet ∗∗∗ --------------------------------------------- A newly-discovered peer-to-peer (P2P) botnet has been found targeting a remote code execution vulnerability in Linux Webmin servers. --------------------------------------------- https://threatpost.com/linux-webmin-servers-attack-p2p-botnet/150513/ ∗∗∗ Security baseline (FINAL) for Windows 10 v1909 and Windows Server v1909 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1909 (a.k.a., “19H2”), and for Windows Server version 1909. Note that Windows Server version 1909 is Server Core only and does not offer a Desktop Experience (a.k.a., “full”) server installation option. --------------------------------------------- https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/Securit… ∗∗∗ Explained: juice jacking ∗∗∗ --------------------------------------------- Juice jacking is a type of cyberattack that uses a USB charging port to steal data or infect phones with malware. Learn how it works and ways to protect against it. --------------------------------------------- https://blog.malwarebytes.com/explained/2019/11/explained-juice-jacking/ ∗∗∗ Video: Identitätsdiebstahl bei Umfragejob ∗∗∗ --------------------------------------------- Auf diversen Job-Portalen stoßen Sie momentan auf Ausschreibungen zu Umfragejobs. Schon bei der Registrierung verlangt man Ihre Ausweiskopie. Melden Sie sich hier nicht an! Kriminelle stehlen Ihre Daten und tarnen die Eröffnung eines Bankkontos in Ihrem Namen als bezahlte Umfrage. --------------------------------------------- https://www.watchlist-internet.at/news/video-identitaetsdiebstahl-bei-umfra… ∗∗∗ DePriMon downloader uses novel ways to infect your PC with ColoredLambert malware ∗∗∗ --------------------------------------------- It is believed the downloader is using techniques not seen before in the wild. --------------------------------------------- https://www.zdnet.com/article/deprimon-downloader-uses-novel-ways-to-infect… ∗∗∗ New SectopRAT Trojan creates hidden second desktop to control browser sessions ∗∗∗ --------------------------------------------- The Trojan makes sure the second desktop is hidden from sight. --------------------------------------------- https://www.zdnet.com/article/new-sectoprat-malware-creates-hidden-second-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Releases Outlook for Android Security Update ∗∗∗ --------------------------------------------- Original release date: November 21, 2019Microsoft has released an update to address a vulnerability in Outlook for Android. An attacker could exploit this vulnerability to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/11/21/microsoft-releases… ∗∗∗ New security release versions of BIND are available: 9.11.13, 9.14.8 and 9.15.6 ∗∗∗ --------------------------------------------- New security releases of BIND are available which contain fixes for the CVEs disclosed today. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2019-November/001143.html ∗∗∗ Apache Solr Bug Gets Bumped Up to High Severity ∗∗∗ --------------------------------------------- The vulnerability (CVE-2019-12409) was first reported in July and patched in August. ... Since the bug was initially discovered, researchers have reevaluated the threat and escalated its severity to high-risk. --------------------------------------------- https://threatpost.com/apache-solr-bug-gets-bumped-up-to-high-severity/1504… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (oniguruma and thunderbird-enigmail), openSUSE (chromium, ghostscript, and slurm), Oracle (kernel), Red Hat (kpatch-patch), Slackware (bind), SUSE (python-ecdsa), and Ubuntu (bind9 and mariadb). --------------------------------------------- https://lwn.net/Articles/805281/ ∗∗∗ Security Bulletin: Inadequate account lockout in Cloud Pak System (CVE-2019-4096) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-inadequate-account-lockou… ∗∗∗ Security Bulletin: Vulnerabilities in WAS Liberty affect IBM Spectrum LSF Suite, Spectrum LSF Suite for HPA and Spectrum LSF Application Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-was-li… ∗∗∗ Security Bulletin: Bypass Client-Side Validation vulnerability in Cloud Pak System (CVE-2019-4240) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bypass-client-side-valida… ∗∗∗ Security Bulletin: A vulnerability in Apache Solr (lucene) affects IBM Operations Analytics – Log Analysis (CVE-2019-4243) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Clickjacking vulnerability in IBM Operations Analytics – Log Analysis (CVE-2019-4215) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-clickjacking-vulnerabilit… ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis is vulnerable to potential Host Header Injection (CVE-2019-4216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoil Federated Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: XStream as used by IBM QRadar SIEM is vulnerable to os command injection (CVE-2019-10173) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xstream-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Operations Center on AIX (CVE-2019-4473, CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ IBM Security Bulletin: A Vulnerability in Apache PDFBox Affects Transformation Extender ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ap… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (CVE-2019-4473, CVE-2019-11771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Images for Red Hat Linux Systems (July2019 updates) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Controller 2019Q4 Security Updater: Multiple Security Vulnerabilities have been identified in IBM Cognos Controller ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-201… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2019
by Daily end-of-shift report 20 Nov '19

20 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-11-2019 18:00 − Mittwoch 20-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NSA Releases Cyber Advisory: Managing Risk from Transport Layer Security Inspection ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released a Cyber Advisory that addresses managing risk from Transport Layer Security Inspection (TLSI). This short, informative document defines TLSI (a security process that allows incoming traffic to be decrypted, inspected, and re-encrypted), explains some risks and associated challenges, and discusses mitigations. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/11/19/nsa-releases-cyber… ∗∗∗ D-Link Adds More Buggy Router Models to 'Won’t Fix' List ∗∗∗ --------------------------------------------- D-Link has warned that more of its routers are vulnerable to critical flaws that allow remote hackers to take control of hardware and steal data. The routers won’t be fixed, said D-Link, explaining that the hardware has reached its end-of-life and will no longer receive security updates. ... D-Link identified the additional affected models as: DIR-866, DIR-655, DHP-1565, DIR-652, DAP-1533, DGL-5500, DIR-130, DIR-330, DIR-615, DIR-825, DIR-835, DIR-855L and DIR-862. --------------------------------------------- https://threatpost.com/d-link-wont-fix-router-bugs/150438/ ∗∗∗ Monero Project site compromised, served malware-infected binaries ∗∗∗ --------------------------------------------- The official website of the Monero Project has been compromised to serve a malware-infected version of the CLI (command-line interface) wallet. The malicious file was available for download for around 14 hours and at least one of the users who downloaded the malware has had their funds stolen. What happened? --------------------------------------------- https://www.helpnetsecurity.com/2019/11/20/monero-project-compromised/ ===================== = Vulnerabilities = ===================== ∗∗∗ Google and Samsung Fix Android Spying Flaw. Other Makers May Still Be Vulnerable ∗∗∗ --------------------------------------------- Until recently, weaknesses in Android camera apps from Google and Samsung made it possible for rogue apps to record video and audio and take images and then upload them to an attacker-controlled server -- without any permissions to do so. Camera apps from other manufacturers may still be susceptible. --------------------------------------------- https://tech.slashdot.org/story/19/11/19/1737219/google-and-samsung-fix-and… ∗∗∗ Administration Views - Moderately critical - Access bypass - SA-CONTRIB-2019-076 ∗∗∗ --------------------------------------------- This module replaces administrative overview/listing pages with actual views for superior usability.The module doesnt sufficiently check user access when using the "Menu system path" access handler on a Views displays other than "System". --------------------------------------------- https://www.drupal.org/sa-contrib-2019-076 ∗∗∗ Unbound: Vulnerability in IPSEC module ∗∗∗ --------------------------------------------- Due to unsanitized characters passed to the ipsecmod-hook shell command, it is possible for Unbound to allow shell code execution from a specially crafted IPSECKEY answer. (CVE-2019-18934) --------------------------------------------- https://nlnetlabs.nl/projects/unbound/security-advisories/ ∗∗∗ Flexera FlexNet Publisher ∗∗∗ --------------------------------------------- These vulnerabilities could allow an attacker to deny the acquisition of a valid license for legal use of the product. The memory corruption vulnerability could allow remote code execution. (CVE-2018-20033, CVSS v3 9.8) --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-323-01 ∗∗∗ High Severity Vulnerability Patched in WP Maintenance Plugin ∗∗∗ --------------------------------------------- This flaw allowed attackers to enable a vulnerable site’s maintenance mode and inject malicious code affecting site visitors. We disclosed this issue privately to the plugin’s developer who released a patch the next day. Plugin versions of WP Maintenance up to 5.0.5 are vulnerable to attacks against this flaw. All WP Maintenance users should update to version 5.0.6 immediately. --------------------------------------------- https://www.wordfence.com/blog/2019/11/high-severity-vulnerability-patched-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redmine), Fedora (libidn2), Mageia (clamav, ghostscript, kernel, kernel-linus, libexif, libjpeg, mariadb, microcode, and systemd), and openSUSE (libjpeg-turbo). --------------------------------------------- https://lwn.net/Articles/805224/ ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Manager SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Teams for Windows DLL Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco WebEx Centers Username Enumeration Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco SD-WAN Solution vManage Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unity Express Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Communications Domain Manager Persistent Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Stealthwatch Enterprise Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business Routers RV016, RV042, RV042G, and RV082 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software NETCONF Over Secure Shell ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance URL Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Email Security Appliance MP3 Content Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces: Connector SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces: Connector Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Spaces: Connector Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Use of Insufficiently Random Values Vulnerability in Huawei ViewPoint Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191120-… ∗∗∗ Security Advisory - Two Vulnerabilities in Some Huawei Home Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191113-… ∗∗∗ Security Advisory - Improper Validation of Array Index Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191120-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Privilege Escalation (CVE-2019-4530) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: A security vulnerability has been fixed in the IBM Security Identity Manager product (CVE-2019-4561) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in WAS Liberty affect IBM Spectrum LSF Suite, Spectrum LSF Suite for HPA and Spectrum LSF Application Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-was-li… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.11.2019
by Daily end-of-shift report 19 Nov '19

19 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Montag 18-11-2019 18:00 − Dienstag 19-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Linux, Windows Users Targeted With New ACBackdoor Malware ∗∗∗ --------------------------------------------- Researchers have discovered a new multi-platform backdoor that infects Windows and Linux systems allowing the attackers to run malicious code and binaries on the compromised machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted… ∗∗∗ Buran Ransomware Infects PCs via Microsoft Excel Web Queries ∗∗∗ --------------------------------------------- A new spam campaign has been spotted distributing the Buran Ransomware through IQY file attachments. When opened, these Microsoft Excel Web Query attachments will execute a remote command that installs the ransomware onto a victims computer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/buran-ransomware-infects-pcs… ∗∗∗ Coin Stealer Found in Monero Linux Binaries From Official Site ∗∗∗ --------------------------------------------- The Monero Project is currently investigating a potential compromise of the official website after a coin stealer was found in the Linux 64-bit command line (CLI) Monero binaries downloaded from the download page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coin-stealer-found-in-monero… ∗∗∗ Elasticsearch: Datenleak bei Conrad ∗∗∗ --------------------------------------------- Der Elektronikhändler Conrad meldet, dass ein Angreifer Zugang zu Kundendaten und Kontonummern gehabt habe. Grund dafür war eine ungesicherte Elasticsearch-Datenbank. --------------------------------------------- https://www.golem.de/news/elasticsearch-datenleak-bei-conrad-1911-145091-rs… ∗∗∗ Windows Debugging & Exploiting Part 2 - WinDBG 101 ∗∗∗ --------------------------------------------- Hello again! After our previous post about the environment setup, now it is time to cover the main tool of this project, the WinDBG. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/windows-deb… ∗∗∗ When Bank Communication is Indistinguishable from Phishing Attacks ∗∗∗ --------------------------------------------- You know how banks really, really want to avoid their customers falling victim to phishing scams? And how they put a heap of effort into education to warn folks about the hallmarks of phishing scams? And how banks are the shining beacons of light when it comes to demonstrating security [...] --------------------------------------------- https://www.troyhunt.com/when-bank-communication-is-indistinguishable-from-… ∗∗∗ Vulnerability in ABB Plant Historian Disclosed 5 Years After Discovery ∗∗∗ --------------------------------------------- It took Swiss-based industrial technology solutions provider ABB five years to inform customers of a critical vulnerability affecting one of its products, and the researcher who found it says this increased the chances of threat actors discovering and exploiting the security flaw. --------------------------------------------- https://www.securityweek.com/vulnerability-abb-plant-historian-disclosed-5-… ∗∗∗ Vorsicht bei angeblichen Gewinnspielen von Magenta, A1, Drei oder Liwest ∗∗∗ --------------------------------------------- Aktuell verbreiten Kriminelle über unterschiedliche Kanäle Fake-Gewinnspiele. Sie werden entweder per E-Mail, SMS oder mittels Pop-Up im Browser benachrichtigt, dass Sie angeblich ein Smartphone gewonnen haben. Um den Gewinn zu erhalten, muss nur eine kurze Umfrage beantwortet und ein kleiner Geldbetrag für den Versand bezahlt werden. Vorsicht: Es handelt sich um eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-angeblichen-gewinnspiel… ===================== = Vulnerabilities = ===================== ∗∗∗ Schwere Sicherheitslücke in WhatsApp entdeckt ∗∗∗ --------------------------------------------- In WhatsApp wurde eine Schwachstelle gefunden, die es Angreifern ermöglicht, Dateien zu stehlen und Nachrichten auszulesen. --------------------------------------------- https://futurezone.at/apps/schwere-sicherheitsluecke-in-whatsapp-entdeckt/4… ∗∗∗ Lernplattform Moodle: Entwickler schließen kritische Schwachstellen ∗∗∗ --------------------------------------------- Moodle-Admins aufgepasst: Neue Versionen schließen mehrere, teils als "Serious" bewertete Lücken. --------------------------------------------- https://heise.de/-4591094 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-psutil, slurm-llnl, symfony, and thunderbird), Fedora (gd and ghostscript), and SUSE (ceph, haproxy, java-11-openjdk, and ncurses). --------------------------------------------- https://lwn.net/Articles/805149/ ∗∗∗ Lexmark Services Monitor 2.27.4.0.39 Directory Traversal ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019110124 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2019-5435, CVE-2019-5436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-a… ∗∗∗ HPESBHF03963 rev.1 - Certain HPE ProLiant Servers with Intel CSME, AMT, SPS, TXE, ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03968 rev.1 - HPE Gen10 ProLiant, Apollo, and Synergy Servers using Intel CPU Transactional Synchronization Extensions (TSX) Asynchronous Abort (TAA), Local Disclosure of Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03969 rev.1 - HPE ProLiant Gen10 Servers using certain Intel Xeon Scalable Processors, Voltage Modulation, Local Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03971 rev.1 - HPE Servers using certain Intel Processors, SMM and TXT, Local Escalation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03964 rev.1 - HPE Nimble Storage, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Google Chrome: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0998 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2019
by Daily end-of-shift report 18 Nov '19

18 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-11-2019 18:00 − Montag 18-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New NextCry Ransomware Encrypts Data on NextCloud Linux Servers ∗∗∗ --------------------------------------------- On October 24, Nextcloud released an urgent alert about a remote code execution vulnerability that impacts the default Nextcloud NGINX configuration. Tracked as CVE-2019-11043, the flaw is in the PHP-FPM (FastCGI Process Manager) component, included by some hosting providers like Nextcloud in their default setup. A public exploit exists and has been leveraged to compromised servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encry… ∗∗∗ Powershell ConstrainedLanguage Mode ∗∗∗ --------------------------------------------- Gastbeitrag vom milCERT - Philipp Thaller und Stefan Bachmair - Bei der Analyse von aktueller Malware stellte sich heraus dass viele der aktuellen Exemplare (inkl. Emotet ) auf die PowerShell angewiesen sind um ihr schadhaftes Potential entfalten zu können. Schränkt man die PowerShell entsprechend ein, ist eine Ausführung des eigentlichen Schadcodes oft gar nicht möglich. --------------------------------------------- https://cert.at/de/blog/2019/11/201911-powershell-constrainedlanguage ∗∗∗ Willhaben warnt vor betrügerischer Phishing-SMS ∗∗∗ --------------------------------------------- Wer von der Verkaufsplattform Willhaben eine SMS mit Zahlungsinformationen bekommt, soll den Link keinesfalls anklicken. --------------------------------------------- https://futurezone.at/apps/willhaben-warnt-vor-betruegerischer-phishing-sms… ∗∗∗ pax: Exploit padding oracles for fun and profit ∗∗∗ --------------------------------------------- Pax (PAdding oracle eXploiter) is a tool for exploiting padding oracles in order to: - Obtain plaintext for a given piece of CBC encrypted data. - Obtain encrypted bytes for a given piece of plaintext, using the unknown encryption algorithm used by the oracle. --------------------------------------------- https://github.com/liamg/pax ∗∗∗ RdpThief: Extracting Clear-text Credentials from Remote Desktop Clients ∗∗∗ --------------------------------------------- In this blogpost I will describe the process I followed to write a tool that will extract clear-text credentials from the Microsoft RDP client using API hooking. Using this approach, if you are already operating under the privileges of the compromised user (e.g. as a result of a phish) and the user has an RDP session open, you are able to extract the clear-text credentials without privilege escalation. --------------------------------------------- https://www.mdsec.co.uk/2019/11/rdpthief-extracting-clear-text-credentials-… ∗∗∗ Medica 2019: BSI-Leitfaden zur Cyber-Sicherheit von Medizinprodukten ∗∗∗ --------------------------------------------- Im Kontext der sicheren Digitalisierung im Gesundheitswesen hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) im Rahmen der Messe "Medica" in Düsseldorf einen neuen Leitfaden "Sicherheit von Medizinprodukten – Leitfaden zur Nutzung des MDS2 aus 2019" (Manufacturer Disclosure Statement for Medical Device Security) veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Leitfaden_M… ∗∗∗ Google patches ‘awesome’ XSS vulnerability in Gmail dynamic email feature ∗∗∗ --------------------------------------------- The bug bounty hunter who disclosed the issue says the bug is a prime example of DOM Clobbering. --------------------------------------------- https://www.zdnet.com/article/google-patches-awesome-xss-vulnerability-in-g… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (angular.js, libapache2-mod-auth-openidc, mosquitto, postgresql-common, and thunderbird), Fedora (chromium, djvulibre, freetds, ghostscript, java-1.8.0-openjdk-aarch32, samba, thunderbird-enigmail, wpa_supplicant, and xen), openSUSE (go1.12, ImageMagick, and ucode-intel), Oracle (ghostscript and kernel), Red Hat (libcomps and sudo), Slackware (kernel), SUSE (microcode_ctl, slurm, and ucode-intel), and Ubuntu (mysql-5.7, mysql-8.0 and python-ecdsa). --------------------------------------------- https://lwn.net/Articles/805083/ ∗∗∗ Security Bulletin: Denial of Service vulnerability in WebSphere Application Server Liberty affects IBM Spectrum Protect Operations Center (CVE-2019-4096) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2019
by Daily end-of-shift report 15 Nov '19

15 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-11-2019 18:00 − Freitag 15-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ How the Linux kernel balances the risks of public bug disclosure ∗∗∗ --------------------------------------------- A serious Wi-Fi flaw shows how Linux handles security in plain sight. --------------------------------------------- https://nakedsecurity.sophos.com/2019/11/15/how-the-linux-kernel-balances-t… ∗∗∗ A Tale of Rootkits and Other Backdoors ∗∗∗ --------------------------------------------- In this post, we will focus on software backdoors commonly seen in Linux environments, we will attempt to outline some representative examples, and we will discuss common techniques backdoor authors use to hide their malicious payloads. --------------------------------------------- https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory 2019-15: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- OTRS can be put into an endless loop by providing filenames with overly long extensions. This applies to the PostMaster (sending in email) and also upload (attaching files to mails, for example). --------------------------------------------- https://community.otrs.com/security-advisory-2019-15-security-update-for-ot… ∗∗∗ Security Advisory 2019-14: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, which are in the queue where attacker doesn’t have permissions. --------------------------------------------- https://community.otrs.com/security-advisory-2019-14-security-update-for-ot… ∗∗∗ A heap overflow vulnerability has been found in wolfssl ∗∗∗ --------------------------------------------- Wolfssl is an TLS library mostly used in embedded Linux devices. It is also used in the popular tool curl. ... The vulnerability has been given the CVE of CVE-2019–18840. --------------------------------------------- https://medium.com/@social_62682/heap-overflow-in-wolfssl-cve-2019-18840-18… ∗∗∗ Lücke in älteren WhatsApp-Versionen erlaubte Codeausführung aus der Ferne ∗∗∗ --------------------------------------------- Facebook weist auf eine Lücke in dem Messenger WhatsApp hin. Viele Geräte sollten dank automatischer Updates bereits seit einiger Zeit geschützt sein. --------------------------------------------- https://heise.de/-4587119 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (ghostscript, mesa, and postgresql-common), Fedora (chromium, php-robrichards-xmlseclibs, php-robrichards-xmlseclibs3, samba, scap-security-guide, and wpa_supplicant), Mageia (cpio, fribidi, libapreq2, python-numpy, webkit2, and zeromq), openSUSE (ImageMagick, kernel, libtomcrypt, qemu, ucode-intel, and xen), Oracle (kernel), Red Hat (ghostscript, kernel, and kernel-rt), Scientific Linux (ghostscript and kernel), SUSE (bash, enigmail, ghostscript, kernel, libjpeg-turbo, openconnect, squid), Ubuntu (ghostscript, imagemagick, postgresql-common). --------------------------------------------- https://lwn.net/Articles/804904/ ∗∗∗ Philips IntelliBridge EC40/80 ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-318-01 ∗∗∗ Omron CX-Supervisor ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-318-04 ∗∗∗ ABB Power Generation Information Manager (PGIM) and Plant Connect ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-318-05 ∗∗∗ Security Bulletin: CSV Injection (CVE-2019-4490) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-csv-injection-cve-2019-44… ∗∗∗ Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities affect IBM Cloud Object Storage SDK Java (November 2019 Bulletin) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OS Images for RedHat Enterprise System is vulnerable to Intel Microarchitectural Data Sampling (MDS) Vulnerabilites (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-os-images-for-redhat-… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites impacting IBM Aspera Connect 3.7.4 and earlier (CVE-2017-3732, CVE-2016-7055) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-im… ∗∗∗ Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-collection… ∗∗∗ iControl REST logs a plaintext password when the syntax of a cURL request is incorrect ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61105950 ∗∗∗ BIG-IP / BIG-IQ / Enterprise Manager / F5 iWorkflow Configuration utility vulnerability CVE-2019-6663 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K76052144 ∗∗∗ TMM vulnerability CVE-2019-6660 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23860356 ∗∗∗ TLS 1.3 vulnerability CVE-2019-6659 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34450231 ∗∗∗ BIG-IP restjavad vulnerability CVE-2019-6662 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01049383 ∗∗∗ TMOS vulnerability CVE-2019-6664 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03126093 ∗∗∗ BIG-IP APM apd vulnerability CVE-2019-6661 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61705126 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2019
by Daily end-of-shift report 14 Nov '19

14 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-11-2019 18:00 − Donnerstag 14-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researchers Find Bug in Qualcomm Code for Trusted App ∗∗∗ --------------------------------------------- Researchers stressing the code related to Qualcomms implementation of the secure execution area on mobile devices found a new vulnerability that could allow access to critical data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-find-bug-in-qual… ∗∗∗ NCSC-NZ Cyber threat report for 2018/19 released ∗∗∗ --------------------------------------------- The National Cyber Security Centre, (NCSC) has released its Cyber Threat Report for the 2018/19 reporting year. --------------------------------------------- https://www.ncsc.govt.nz/newsroom/cyber-threat-report-for-201819-released/ ∗∗∗ Windows & Linux get options to disable Intel TSX to prevent Zombieload v2 attacks ∗∗∗ --------------------------------------------- Disclosure of new Zombieload v2 vulnerability prompts OS makers to react with ways to disable Intels TSX technology. --------------------------------------------- https://www.zdnet.com/article/windows-linux-get-options-to-disable-intel-ts… ===================== = Vulnerabilities = ===================== ∗∗∗ Symantec Fixes Privilege Escalation Flaw in Endpoint Protection ∗∗∗ --------------------------------------------- Symantec fixed a local privilege escalation security flaw affecting all Symantec Endpoint Protection software versions prior to 14.2 RU2, and allowing attackers to escalate privileges on compromised devices and execute malicious code using SYSTEM privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/symantec-fixes-privilege-esc… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (kernel, linux-lts, and linux-zen), CentOS (kernel, sudo, and thunderbird), Debian (linux-4.9), Fedora (samba), openSUSE (apache2-mod_auth_openidc, kernel, qemu, rsyslog, and ucode-intel), Oracle (kernel), Red Hat (kernel and kernel-rt), Scientific Linux (kernel), SUSE (kernel and microcode_ctl), and Ubuntu (kernel, libjpeg-turbo, linux, linux-hwe, linux-oem, linux, linux-hwe, linux-oem-osp1, and qemu). --------------------------------------------- https://lwn.net/Articles/804775/ ∗∗∗ Movable Type vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN65280626/ ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an Oracle MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ bzip2 vulnerability CVE-2019-12900 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68713584 ∗∗∗ lodash library vulnerability CVE-2019-10744 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K47105354 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2019
by Daily end-of-shift report 13 Nov '19

13 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-11-2019 18:00 − Mittwoch 13-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Network Traffic Analysis for IR: Address Resolution Protocol (ARP) with Wireshark ∗∗∗ --------------------------------------------- Introduction to the Address Resolution Protocol The Address Resolution Protocol (ARP) was first defined in RFC 826. As the name suggests, it is designed to resolve IP addresses into a form usable by other systems within a subnet. Network addressing works at a couple of different layers of the OSI model. --------------------------------------------- https://resources.infosecinstitute.com/address-resolution-protocol-arp-with… ∗∗∗ Schlüssel aus TPM-Chips lassen sich extrahieren ∗∗∗ --------------------------------------------- Mit einem Timing-Angriff lassen sich Signaturschlüssel auf Basis elliptischer Kurven aus TPM-Chips extrahieren. ... TPM-Chips sind in allen modernen PCs vorhanden und teilweise umstritten, da sie auch dazu genutzt werden können, Schutzmechanismen gegen den Willen des Nutzers umzusetzen. Trotz ihrer Verbreitung werden die Chips eher selten für kritische Applikationen genutzt, die Auswirkungen der Lücke dürften sich in Grenzen halten. --------------------------------------------- https://www.golem.de/news/tpm-fail-schluessel-aus-tpm-chips-lassen-sich-ext… ∗∗∗ GSM Traffic and Encryption: A5/1 Stream Cipher ∗∗∗ --------------------------------------------- This write-up documents some of my follow-up research with regard to analyzing the GSM traffic packets I captured using Software Defined Radio. My attempt was to better understand the GSM mobile network protocols and procedures, with an emphasis on the authentication and ciphering algorithms being deployed. --------------------------------------------- https://www.blackhillsinfosec.com/gsm-traffic-and-encryption-a5-1-stream-ci… ∗∗∗ Angriffe über USB und Bluetooth: Android-Smartphones verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Schwachstellen in mehreren älteren Android-Smartphones entdeckt, die sie über USB- und Bluetooth-Verbindungen ausnutzen konnten. --------------------------------------------- https://heise.de/-4584690 ∗∗∗ Seriöses Job-Angebot oder Auftrag zur Geldwäsche? ∗∗∗ --------------------------------------------- Auf diversen Job-Börsen und Kleinanzeigenportalen stoßen Arbeitssuchende momentan auf Angebote zur freien Mitarbeit der „TideBit Deutschland LTD“. Die Firma existiert in dieser Form nicht. Kriminelle missbrauchen den Namen eines Kryptowährungsunternehmens, um BewerberInnen zur Geldwäsche zu bringen. Wer die Aufgaben erfüllt, macht sich womöglich selbst strafbar. --------------------------------------------- https://www.watchlist-internet.at/news/serioeses-job-angebot-oder-auftrag-z… ===================== = Vulnerabilities = ===================== ∗∗∗ November 2019 security updates are available! ∗∗∗ --------------------------------------------- We have released the November security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. As a reminder, Windows 7 and Windows Server 2008 R2 will be out of extended support and no longer receiving updates as of January 14, 2020. --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/11/12/november-2019-security-updat… ∗∗∗ Intel fixt Sicherheitslücken und enthüllt nebenbei eine neue ZombieLoad-Variante ∗∗∗ --------------------------------------------- Zum Patch Tuesday hat Intel 77 teils kritische Lücken gefixt, unter denen sich auch ein bislang geheim gehaltener Seitenkanalangriff befand. --------------------------------------------- https://heise.de/-4584543 ∗∗∗ VMSA-2019-0020 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, and Fusion patches provide Hypervisor-Specific Mitigations for Speculative-Execution Vulnerabilities (CVE-2018-12207, CVE-2019-11135) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0020.html ∗∗∗ VMSA-2019-0021 ∗∗∗ --------------------------------------------- VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2019-5540, CVE-2019-5541, CVE-2019-5542) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0021.html ∗∗∗ VMSA-2019-0008.2 ∗∗∗ --------------------------------------------- VMware product updates enable Hypervisor-Specific Mitigations, Hypervisor-Assisted Guest Mitigations, and Operating System-Specific Mitigations for Microarchitectural Data Sampling (MDS) Vulnerabilities (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0008.html ∗∗∗ Xen Security Advisory CVE-2019-11135 / XSA-305 ∗∗∗ --------------------------------------------- A new way to sample data from microarchitectural structures has been identified. A TSX Asynchronous Abort is a state which occurs between a transaction definitely aborting (usually for reasons outside of the pipeline's control e.g. receiving an interrupt), and architectural state being rolled back to start of the transaction. During this period, speculative execution may be able to infer the value of data in the microarchitectural structures. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-305.html ∗∗∗ Xen Security Advisory CVE-2018-12207 / XSA-304 ∗∗∗ --------------------------------------------- An erratum exists across some CPUs whereby an instruction fetch may cause a machine check error if the pagetables have been updated in a specific manner without invalidating the TLB. ... This corner case can be triggered by guest kernels. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-304.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, intel-microcode, kernel, libssh2, qemu, and webkit2gtk), Fedora (apache-commons-beanutils, bluez, iwd, kernel, kernel-headers, kernel-tools, libell, and microcode_ctl), openSUSE (gdb), Oracle (kernel), Red Hat (kernel and kernel-rt), SUSE (dhcp, evolution, kernel, libcaca, python, python-xdg, qemu, sysstat, ucode-intel, and xen), and Ubuntu (dpdk, intel-microcode, kernel, linux, linux-aws, ..., webkit2gtk) --------------------------------------------- https://lwn.net/Articles/804641/ ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- CTX263684 - A security issue has been identified in certain CPU hardware that may allow unprivileged code running on a CPU core to infer the value of memory data belonging to other processes, virtual machines or the hypervisor that are, or have recently been, running on the same CPU core. --------------------------------------------- https://support.citrix.com/article/CTX263684 ∗∗∗ Citrix ADC and Citrix Gateway Security Update (CVE-2019-0140) ∗∗∗ --------------------------------------------- CTX263807 - A vulnerability has been identified affecting Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, platforms which could result in privilege escalation via layer 2 network access on all network interfaces. --------------------------------------------- https://support.citrix.com/article/CTX263807 ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Two Vulnerabilities in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191113-… ∗∗∗ Security Advisory - Improper File Management Vulnerability in Huawei Share ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191113-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM NeXtScale Fan Power Controller (FPC) is affected by vulnerability in OpenSSL (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-nextscale-fan-power-c… ∗∗∗ libpcap vulnerability CVE-2019-15163 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K92862401?utm_source=f5support&utm_mediu… ∗∗∗ Hotfix XS80E008 - For Citrix Hypervisor 8.0 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX263663 ∗∗∗ Hotfix XS76E012 - For XenServer 7.6 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX263662 ∗∗∗ Hotfix XS71ECU2024 - For XenServer 7.1 Cumulative Update 2 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX263661 ∗∗∗ Hotfix XS70E075 - For XenServer 7.0 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX263660 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2019
by Daily end-of-shift report 12 Nov '19

12 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Montag 11-11-2019 18:00 − Dienstag 12-11-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Threat Alert: TCP Amplification Attacks ∗∗∗ --------------------------------------------- TCP reflection attacks, such as SYN-ACK reflection attacks, have been less popular among attackers until recently. The lack of popularity was mainly due to the wrong assumption that TCP reflection attacks cannot generate enough amplification compared to UDP-based reflections. In general, TCP attacks are low bandwidth and less likely to saturate an internet link. --------------------------------------------- https://blog.radware.com/security/2019/11/threat-alert-tcp-reflection-attac… ∗∗∗ Tech Support Scammers Exploiting Unpatched Firefox Bug ∗∗∗ --------------------------------------------- Mozilla is working on addressing a Firefox bug that has been exploited by tech support scammers to lock the browser when users visit specially crafted websites. --------------------------------------------- https://www.securityweek.com/tech-support-scammers-exploiting-unpatched-fir… ∗∗∗ Netflix: Vorsicht vor betrügerischen Phishing-Mails ∗∗∗ --------------------------------------------- Aktuell häufen sich Meldungen über betrügerische E-Mails, die angeblich von Netflix stammen. Es sei ein Problem mit der Zahlungsabwicklung aufgetreten, sodass Netflix die Nutzungsgebühr nicht abbuchen kann und daher den Account vorübergehend gesperrt hat. Kriminelle fordern Netflix-NutzerInnen auf, die Kontoinformationen zu aktualisieren. Es handelt sich jedoch um Phishing! --------------------------------------------- https://www.watchlist-internet.at/news/netflix-vorsicht-vor-betruegerischen… ∗∗∗ This unusual new ransomware is going after servers ∗∗∗ --------------------------------------------- The previously undetected server-encrypting malware has been detailed in research by cyber security analysts at Intezer and IBM X-Force, who've named it PureLocker because it's written in written in the PureBasic programming language. ... It's currently uncertain how exactly PureLocker is delivered to victims, but researchers note that more_eggs campaigns begin with phishing emails, so the ransomware attacks could begin in the same way, with the final payload likely to be the final part of a multi-staged attack. --------------------------------------------- https://www.zdnet.com/article/this-unusual-new-ransomware-is-going-after-se… ===================== = Vulnerabilities = ===================== ∗∗∗ McAfee Patches Privilege Escalation Flaw in Antivirus Software ∗∗∗ --------------------------------------------- McAfee patched a security vulnerability discovered in all editions of its Antivirus software for Windows and enabling potential attackers to escalate privileges and execute code using SYSTEM privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mcafee-patches-privilege-esc… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the implementation of the Lua interpreter integrated in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code with root privileges on the underlying Linux operating system of an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Adobe Security Bulletins ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Animate CC (APSB19-34), Adobe Illustrator CC (APSB19-36), Adobe Media Encoder (APSB19-52) and Adobe Bridge CC (APSB19-53). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1801 ∗∗∗ Sicherheitsupdate: Magento-Onlineshops von Schadcode-Attacken gefährdet ∗∗∗ --------------------------------------------- Wer einen Onlineshop mit Magento-Software betreibt, sollte aus Sicherheitsgründen zügig die aktuelle Version installieren. --------------------------------------------- https://heise.de/-4584383 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (community-mysql, crun, java-latest-openjdk, and mupdf), openSUSE (libssh2_org), and SUSE (go1.12, libseccomp, and tar). --------------------------------------------- https://lwn.net/Articles/804412/ ∗∗∗ Synology-SA-19:38 Synology Assistant ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Assistant. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_38 ∗∗∗ SAP Security Patch Day – November 2019 ∗∗∗ --------------------------------------------- On 12th of November 2019, SAP Security Patch Day saw the release of 12 Security Notes. There are 3 updates to previously released Patch Day Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=528880390 ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache ActiveMQ vulnerability (CVE-2018-11775) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Incorrect permissions on restored files and directories on Windows using IBM Spectrum Protect Plus (CVE-2019-4652) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-incorrect-permissions-on-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Java affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact Configuration and Deployment Management Clickjacking ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by a jQuery vulnerability (CVE-2015-9251) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by a jQuery vulnerability (CVE-2019-11358) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ SSA-686531 (Last Update: 2019-11-12): Hardware based manufacturing access on S7-1200 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-686531.pdf ∗∗∗ SSA-616472 (Last Update: 2019-11-12): ZombieLoad and Microarchitectural Data Sampling Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-616472.pdf ∗∗∗ SSA-898181 (Last Update: 2019-11-12): Desigo PX Web Remote Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-898181.pdf ∗∗∗ SSA-434032 (Last Update: 2019-11-12): Vulnerability in Mentor Nucleus Networking Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-434032.pdf ∗∗∗ Multiple tcpdump vulnerabilities ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44551633 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2019
by Daily end-of-shift report 11 Nov '19

11 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-11-2019 18:00 − Montag 11-11-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DDoS attacks in Q3 2019 ∗∗∗ --------------------------------------------- Statistically, Q3 2019 differs little from Q2. In terms of geographical distribution of attacks and targets, we saw a continuation of the now familiar trend of unexpected guests appearing, only to drop out the next quarter. --------------------------------------------- https://securelist.com/ddos-report-q3-2019/94958/ ∗∗∗ Vulnerable Versions of Adminer as a Universal Infection Vector ∗∗∗ --------------------------------------------- This past week, we’ve been monitoring a new wave of website infections mostly impacting WordPress and Magento websites. We found that hackers have been injecting scripts from scripts.trasnaltemyrecords[.]com into multiple files and database tables. This is still the same ongoing campaign that we’ve been following for the past few years, where site visitors are redirected to various kinds of scam landing pages—including tech support scams, fake lottery wins, and malicious [...] --------------------------------------------- https://blog.sucuri.net/2019/11/vulnerable-versions-of-adminer-as-a-univers… ∗∗∗ Ring Video Doorbell Pro: Mitteilsame IoT-Türklingel verriet WLAN-Zugangsdaten ∗∗∗ --------------------------------------------- Eine Klingel, die Besucher sicht- und hörbar macht, hätte Angreifern unbemerkt vollen WLAN-Zugriff verschaffen können. Automatische Updates wurden verteilt. --------------------------------------------- https://heise.de/-4583764 ∗∗∗ Sofortübersetzer von Muama Enence hält nicht, was er verspricht ∗∗∗ --------------------------------------------- Ein Gerät, das 32 Sprachen unmittelbar übersetzt und Verständigungsprobleme im Urlaub oder bei Geschäftstätigkeiten beseitigt, klingt erstmal hervorragend! Dies verspricht die UAB Ekomlita mit dem MUAMA Enence Instant Translator. Doch Vorsicht: Hier werden mitunter wichtige Informationen zum Produkt verheimlicht, es kommt zu groben Problemen beim Rücktritt und wir hegen Bedenken zum Datenschutz! --------------------------------------------- https://www.watchlist-internet.at/news/sofortuebersetzer-von-muama-enence-h… ∗∗∗ Apples Siri unterwandert E-Mail-Verschlüsselung ∗∗∗ --------------------------------------------- Nachrichten werden unter macOS im Klartext lokal gespeichert – Fehlerbereinigung laut Apple in Arbeit --------------------------------------------- https://www.derstandard.at/story/2000110928043/apples-siri-unterwandert-e-m… ===================== = Vulnerabilities = ===================== ∗∗∗ Jira Service Desk Security Advisory 2019-11-06 ∗∗∗ --------------------------------------------- CVE-2019-15003 - Authorization bypass allows information disclosure CVE-2019-15004 - URL path traversal allows information disclosure --------------------------------------------- https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2… ∗∗∗ UniFi Video Server Privilege Escalation From user to SYSTEM via unauthenticated command execution ∗∗∗ --------------------------------------------- The vulnerability, or feature depending how you look at it, is the ability to execute commands using the evostream API interface that is exposed on localhost:7440. --------------------------------------------- https://hackerone.com/reports/544928 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ampache, chromium, djvulibre, firefox-esr, gdal, and ruby-haml), Fedora (chromium, file, gd, hostapd, nspr, and rssh), openSUSE (bcm20702a1-firmware, firefox, gdal, libtomcrypt, php7, python-ecdsa, python3, samba, and thunderbird), SUSE (apache2-mod_auth_openidc, libssh2_org, and rsyslog), and Ubuntu (bash). --------------------------------------------- https://lwn.net/Articles/804325/ ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to multiple Kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by TCP denial of service vulnarabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Camel vulnerability (CVE-2019-0188) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Node.js lodash vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) ( CVE-2019-10744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-lodash-vulnerabil… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerability in SQLite (CVE-2018-20346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Jetty Vulnerabilities (CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2018-12536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Camel vulnerability (CVE-2019-0194) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to cross site scripting (XSS) (CVE-2019-4470) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Python affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to Intel Microarchitectural Data Sampling (MDS) Vulnerabilites ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2019
by Daily end-of-shift report 08 Nov '19

08 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-11-2019 18:00 − Freitag 08-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Warns of More Harmful Windows BlueKeep Attacks, Patch Now ∗∗∗ --------------------------------------------- The Microsoft Defender ATP Research Team says that the BlueKeep attacks detected on November 2 are connected with a coin mining campaign from September that used the same command-and-control (C2) infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-more-harm… ∗∗∗ QNAP Warns Users to Secure Devices Against QSnatch Malware ∗∗∗ --------------------------------------------- Network-attached storage (NAS) maker QNAP urges customers to secure their NAS devices against an ongoing malicious campaign that infects them with QSnatch malware capable of stealing user credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-users-to-secure-d… ∗∗∗ Amazon Kindle, Embedded Devices Open to Code-Execution ∗∗∗ --------------------------------------------- Flaws in Das U-Boot affect third-party hardware that uses the universal bootloader as an underlying component. --------------------------------------------- https://threatpost.com/amazon-kindle-embedded-devices-code-execution/150003/ ∗∗∗ Pwn2Own Tokyo Roundup: Amazon Echo, Routers and Smart TVs Fall to Hackers ∗∗∗ --------------------------------------------- The latest edition of the bi-annual hacking contest saw creative exploits in new device categories. --------------------------------------------- https://threatpost.com/pwn2own-tokyo-2019-amazon-echo-hackers/150033/ ∗∗∗ Microsoft Apps Diverted from Their Main Use, (Fri, Nov 8th) ∗∗∗ --------------------------------------------- This week, the CERT.eu[1] organized its yearly conference in Brussels. Across many interesting presentations, one of them covered what they called the "catnmouse" game that Blue and Red teams are playing continuously. When the Blue team has detected an attack technique, they write a rule or implement a new control to detect or block it. Then, the Red team has to find an alternative attack path, [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25502 ∗∗∗ Skimmers for Both Magento and WordPress ∗∗∗ --------------------------------------------- We often write about malware that steal payment information from sites built with Magento and other types of e-commerce CMS. When discussing credit card skimmers like Magecart, it’s sometimes overlooked that WordPress also has a decent share in the ecommerce segment. There are numerous popular plugins that can easily turn a WordPress site into a full-featured online store. In fact, Woocommerce alone has over 5 million installations. --------------------------------------------- https://blog.sucuri.net/2019/11/skimmers-for-both-magento-and-wordpress.html ∗∗∗ Wireshark Tutorial: Examining Trickbot Infections ∗∗∗ --------------------------------------------- A tutorial offering tips on how to identify Trickbot, an information stealer and banking malware that has been infecting victims since 2016. --------------------------------------------- https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-i… ===================== = Vulnerabilities = ===================== ∗∗∗ Medtronic Valleylab FT10 and LS10 ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for improper authentication and protection mechanism failure vulnerabilities in Medtronic’s Valleylab FT10 and LS10 energy and electrosurgery products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-311-01 ∗∗∗ Medtronic Valleylab FT10 and FX8 ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for use of hard-coded credentials, reversible one-way hash, and improper input validation vulnerabilities in Medtronic’s Valleylab FT10 and FX8 products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-311-02 ∗∗∗ Mitsubishi Electric MELSEC-Q Series and MELSEC-L Series CPU Modules ∗∗∗ --------------------------------------------- This advisory contains mitigations for an uncontrolled resource consumption vulnerability in select Mitsubishi Electrics CPU modules. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-311-01 ∗∗∗ Fuji Electric V-Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a heap-based buffer overflow vulnerability in Fuji Electrics V-Server data collection and management service. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-311-02 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (linux-hardened), Debian (fribidi), Gentoo (oniguruma, openssh/openssh, openssl, and pump), Mageia (chromium-browser-stable, expat, firefox, freetds, proftpd, python, thunderbird, and unbound), Oracle (sudo), Scientific Linux (thunderbird), Slackware (kernel), SUSE (rubygem-haml), and Ubuntu (fribidi and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/804202/ ∗∗∗ IBM Security Bulletin: Security vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ tcpdump vulnerability CVE-2018-14879 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51512510 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0006 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0006.html ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0966 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2019
by Daily end-of-shift report 07 Nov '19

07 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-11-2019 18:00 − Donnerstag 07-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Specially Crafted ZIP Files Used to Bypass Secure Email Gateways ∗∗∗ --------------------------------------------- Attackers are always looking for new tricks to distribute malware without them being detected by antivirus scanners and secure email gateways. This was illustrated in a new phishing campaign that utilized a specially crafted ZIP file that was designed to bypass secure email gateways to distribute the NanoCore RAT. --------------------------------------------- https://www.bleepingcomputer.com/news/security/specially-crafted-zip-files-… ∗∗∗ How to Secure Critical Infrastructure When Patching Isn’t Possible ∗∗∗ --------------------------------------------- Mission-critical systems cant just be switched off to apply security updates -- so patching can take weeks if not years. --------------------------------------------- https://threatpost.com/secure-critical-infrastructure-when-patching-isnt-po… ∗∗∗ Vulnerability hunting with Semmle QL: DOM XSS ∗∗∗ --------------------------------------------- In two previous blog posts ( part 1 and part 2), we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of the [...] --------------------------------------------- https://msrc-blog.microsoft.com:443/2019/11/06/vulnerability-hunting-with-s… ∗∗∗ Getting the best value out of security assessments, (Thu, Nov 7th) ∗∗∗ --------------------------------------------- Since my day job is all about hacking, I get a lot of questions (and there appears to be a lot of confusion) about what a vulnerability scan, penetration test or red team assessment is. --------------------------------------------- https://isc.sans.edu/diary/rss/25498 ∗∗∗ Magento 1 End of Life ∗∗∗ --------------------------------------------- It’s no secret that a CMS without support will develop vulnerabilities. Eventually, these lead to a compromised website — which cripples any ecommerce business. When you consider the popularity of the Magento ecommerce platform, it’s easy to see how their announcement of the Magento 1 end of life could leave a significant portion of ecommerce retailers scrambling for new solutions. --------------------------------------------- https://blog.sucuri.net/2019/11/magento-1-end-of-life.html ∗∗∗ VB2019 paper: DNS on fire ∗∗∗ --------------------------------------------- In a paper presented at VB2019, Cisco Talos researchers Warren Mercer and Paul Rascagneres looked at two recent attacks against DNS infrastructure: DNSpionage and Sea Turtle. Today we publish their paper and the recording of their presentation. --------------------------------------------- https://www.virusbulletin.com:443/blog/2019/11/vb2019-paper-dns-fire/ ∗∗∗ C2 With It All: From Ransomware To Carding ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a new server hosting a large stockpile of malicious files. Our analysis of these files shows that these attackers were able to obtain a deep level of access to victims infrastructure — all of which allowed us to identify several targets of these attacks, including one American manufacturing company. Talos notified these targets of the attack. --------------------------------------------- https://blog.talosintelligence.com/2019/11/c2-with-it-all.html ∗∗∗ 5 Tipps zur Steigerung der Cybersecurity Awareness von Angestellten ∗∗∗ --------------------------------------------- Wie können Firmen ein Arbeitsumfeld schaffen, das es Angestellten ermöglicht, die nötigen Fähigkeiten zu erwerben, um Cybergefahren richtig einzuschätzen? --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/11/07/5-tipps-steigerung-cybers… ∗∗∗ Falsche Gewinnspiele für Kinogutscheine kosten 80 Euro pro Monat ∗∗∗ --------------------------------------------- Mit Facebook-Anzeigen und nachgebauten Facebook-Seiten von Kinos in ganz Österreich werben Kriminelle für ein Gewinnspiel. Angeblich können Kinogutscheine gewonnen werden. Doch Vorsicht: Hier gibt es nichts zu gewinnen! Statt eines Kinobesuchs gibt es nur Ärger. Die Kreditkartendaten landen in den Händen von Kriminellen, die dann 80 bis 90 Euro pro Monat abbuchen. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-gewinnspiele-fuer-kinogutsch… ===================== = Vulnerabilities = ===================== ∗∗∗ Gamers Hit with Nvidia GPU Driver, GeForce Flaws ∗∗∗ --------------------------------------------- Vulnerabilities in several PC gaming products offered by Nvidia can lead to escalation of privilege, denial of service and other malicious attacks. --------------------------------------------- https://threatpost.com/gamers-hit-with-nvidia-gpu-driver-geforce-flaws/1499… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (squid), Fedora (chromium, libssh2, and wpa_supplicant), openSUSE (chromium), Red Hat (ansible, chromium-browser, openstack-octavia, patch, qemu-kvm-rhev, sudo, and thunderbird), Scientific Linux (sudo), SUSE (bluez, gdb, php72, and thunderbird), and Ubuntu (cpio and rygel). --------------------------------------------- https://lwn.net/Articles/804091/ ∗∗∗ Cisco: All these routers have the same embedded crypto keys, so update firmware ∗∗∗ --------------------------------------------- Cisco removes static encryption keys that were shared across its small-business routers. --------------------------------------------- https://www.zdnet.com/article/cisco-all-these-routers-have-the-same-embedde… ∗∗∗ Open Social - Critical - Insecure Session Management - SA-CONTRIB-2019-075 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-075 ∗∗∗ PEPPERL+FUCHS Linux Kernel Vulnerability on ecom Mobile Devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-021 ∗∗∗ Red Hat OpenShift Container Platform: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0965 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2019
by Daily end-of-shift report 06 Nov '19

06 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-11-2019 18:00 − Mittwoch 06-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet, Trickbot, Ryuk – ein explosiver Malware-Cocktail ∗∗∗ --------------------------------------------- Der aktuell "zerstörerischste" Schädling Emotet besteht aus einer Kaskade mehrerer Schadprogramme, die zusammen vielstellige Millionenschäden verursachen. --------------------------------------------- https://heise.de/-4573848 ∗∗∗ Überteuerte Visums- und Einreisegenehmigungsangebote im Internet ∗∗∗ --------------------------------------------- Ihr nächstes Urlaubsziel verlangt ein Visum? Dann nehmen Sie sich vor unseriösen Websites in Acht, die ein Vielfaches der tatsächlich anfallenden Gebühr für die Einreisegenehmigungen verlangen. Besondere Vorsicht ist beispielsweise bei Reisen nach Australien, Ägypten, Vietnam, Indien sowie Kanada oder in die USA und die Türkei geboten – theoretisch ist die Masche aber bei allen Destinationen mit Visumspflicht möglich. --------------------------------------------- https://www.watchlist-internet.at/news/ueberteuerte-visums-und-einreisegene… ∗∗∗ German Dridex spam campaign is unfashionably large ∗∗∗ --------------------------------------------- VB has analysed a malicious spam campaign targeting German-speaking users with obfuscated Excel malware that would likely download Dridex but that mostly stood out through its size. --------------------------------------------- https://www.virusbulletin.com:443/blog/2019/11/german-malspam-campaign-unfa… ∗∗∗ Scammers Are Exploiting a Firefox Bug to Freeze Your Browser ∗∗∗ --------------------------------------------- Fraudulent tech-support sites are causing the browser to lock up and display a disturbing message. Force quitting is the only way out. --------------------------------------------- https://www.wired.com/story/scammers-are-exploiting-a-firefox-bug-to-freeze… ∗∗∗ Siemens PLC Feature Can Be Exploited for Evil - and for Good ∗∗∗ --------------------------------------------- A hidden feature in some newer models of the vendors programmable logic controllers leaves the devices open to attack. Siemens says it plans to fix it. --------------------------------------------- https://www.darkreading.com/vulnerabilities---threats/siemens-plc-feature-c… ∗∗∗ Kamerka OSINT tool shows your countrys internet-connected critical infrastructure ∗∗∗ --------------------------------------------- Kamerka lets you see what a hacker sees. It plots maps with SCADA equipment, webcams, and printers that have been left exposed on the internet inside any given country. --------------------------------------------- https://www.zdnet.com/article/kamerka-osint-tool-shows-your-countrys-intern… ===================== = Vulnerabilities = ===================== ∗∗∗ Omron CX-Supervisor ∗∗∗ --------------------------------------------- This advisory contains mitigations for a use of obsolete function vulnerability in Omrons CX-Supervisor SCADA and HMI package. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-309-01 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cpio, openafs, proftpd-dfsg, simplesamlphp, and wordpress), Fedora (thunderbird), openSUSE (binutils, docker-runc, kernel, nfs-utils, php7, python3, and samba), Red Hat (389-ds:1.4, ansible, bind, container-tools:1.0, container-tools:rhel8, curl, dbus, dhcp, dovecot, edk2, elfutils, evolution, freeradius:3.0, gdb, gettext, glib2, glibc, GNOME, gnutls, go-toolset:rhel8, http-parser, httpd:2.4, kernel, kernel-rt, libarchive, libjpeg-turbo, libqb, [...] --------------------------------------------- https://lwn.net/Articles/804018/ ∗∗∗ Smartwares HOME easy v1.0.9 Database Backup Information Disclosure Exploit ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php ∗∗∗ Smartwares HOME easy v1.0.9 Client-Side Authentication Bypass ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ Security Advisory - Insufficient Authentication Vulnerability in Several Band Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191106-… ∗∗∗ libpcap vulnerability CVE-2018-16301 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K86252029 ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0959 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2019
by Daily end-of-shift report 05 Nov '19

05 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Montag 04-11-2019 18:00 − Dienstag 05-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Alexa und Siri: Sprachbefehle unhörbar per Laser übertragen ∗∗∗ --------------------------------------------- Sprachbefehle müssen nicht unbedingt per Sprache übertragen werden: Forschern ist es gelungen, smarte Lautsprecher wie Amazon Echo oder Google Home mit einem Laser aus bis zu 110 Metern Entfernung zu steuern - und so beispielsweise ein Garagentor zu öffnen. --------------------------------------------- https://www.golem.de/news/alexa-und-siri-sprachbefehle-unhoerbar-per-laser-… ∗∗∗ Magecart Groups Attack Simultaneous Sites in Card-Theft Frenzy ∗∗∗ --------------------------------------------- Stealing payment-card data and PII from e-commerce sites has become so lucrative that some are being targeted by multiple groups at the same time. --------------------------------------------- https://threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-th… ∗∗∗ Bluekeep exploitation causing Bluekeep vulnerability scan to fail, (Tue, Nov 5th) ∗∗∗ --------------------------------------------- I woke up this morning to the long anticipated news that Bluekeep exploitation is happening in the wild. As some of you may recall, back in August I wrote a diary demonstrating a way to scan for Bluekeep vulnerable devices. So the next thing I did was check my Bluekeep scan results and was presented with this graph. --------------------------------------------- https://isc.sans.edu/diary/rss/25488 ∗∗∗ Pwning a Smart Car Charger, Building a Bot-Net ∗∗∗ --------------------------------------------- ...or Why We Don’t Build Commercial IoT on a Raspberry Pi. A positive story of disclosure and remediation. We’re quite in to our electric vehicles at PTP, so we started hunting for a smart car charger. There are plenty of industrial chargers out there and some research has been done in the past. We got [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/pwning-a-smart-car-charger-bu… ∗∗∗ Bestellen Sie nicht bei kafrosa.de ∗∗∗ --------------------------------------------- kafrosa.de vertreibt Kaffeemaschinen, Kaffeevollautomaten und sogar Kaffee zu günstigen Preisen. Der Aufbau von kafrosa.de wirkt seriös, verpflichtende Angaben über das Unternehmen werden angeführt und die Auszeichnungen des Shops stiften Vertrauen. Doch Vorsicht: Der Schein trügt. Es handelt sich um einen Fake-Shop, der keine Ware liefert! --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-kafrosade/ ∗∗∗ A look at WP-VCD, todays largest WordPress hacking operation ∗∗∗ --------------------------------------------- Exclusive look into the WP-VCD gang operations! --------------------------------------------- https://www.zdnet.com/article/a-look-at-wp-vcd-todays-largest-wordpress-hac… ===================== = Vulnerabilities = ===================== ∗∗∗ Windows-Kernel-Lücke in Netzwerküberwachsungssoftware PRTG geschlossen ∗∗∗ --------------------------------------------- Die in Paessler PRTG integrierte Paket-Sniffer-Bibliothek Npcap ist verwundbar. Das haben die Entwickler nun repariert. --------------------------------------------- https://heise.de/-4577699 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (electron, ghostscript, glibc, python2, and samba), Debian (webkit2gtk), Slackware (libtiff), SUSE (ImageMagick, python-ecdsa, and samba), and Ubuntu (apport, haproxy, ruby-nokogiri, and whoopsie). --------------------------------------------- https://lwn.net/Articles/803885/ ∗∗∗ Synology-SA-19:37 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote authenticated users to execute arbitrary commands or conduct denial-of-service attacks, or allow remote attackers to delete arbitrary files via a susceptible version of DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_37 ∗∗∗ Microsoft Office365 Integrity Validation / Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019110022 ∗∗∗ [20191002] - Core - Path Disclosure in phpuft8 mapping files ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/Zi-lVuM4KoY/795-20191002-c… ∗∗∗ [20191001] - Core - CSRF in com_template overrides view ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/LaIC5kOPGB0/794-20191001-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar Advisor With Watson is vulnerable to Hazardous Input Validation in some cases ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-w… ∗∗∗ November 4, 2019 TNS-2019-07 [R1] PHP Stand-alone Patch Available for Tenable.sc versions 5.7.x to 5.11.x ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2019-07 ∗∗∗ FRF.16 parser vulnerability CVE-2018-14468 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04367730 ∗∗∗ Dell integrated Dell Remote Access Controller: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0957 ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0958 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2019
by Daily end-of-shift report 04 Nov '19

04 Nov '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-10-2019 18:00 − Montag 04-11-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows: Schadsoftware nutzt erstmals Bluekeep-Sicherheitslücke aus ∗∗∗ --------------------------------------------- Als eine Sicherheitslücke wie Wanna Cry beschreibt Microsoft Bluekeep. Nun entdeckten Sicherheitsforscher die erste Schadsoftware, die die Lücke ausnutzt. Diese ist jedoch noch weit entfernt von dem Worst-Case-Szenario. --------------------------------------------- https://www.golem.de/news/windows-schadsoftware-nutzt-erstmals-bluekeep-sic… ∗∗∗ Malware "QSnatch" attackiert QNAP-Netzwerkspeicher – auch in Deutschand ∗∗∗ --------------------------------------------- QSnatch hat es auch hierzulande auf NAS von QNAP abgesehen. Ob ein Firmware-Update hilft, ist unklar – durchführen sollte man es dennoch. --------------------------------------------- https://heise.de/-4573483 ∗∗∗ Android Beam erlaubt Einschleusen fremder Apps ∗∗∗ --------------------------------------------- Über NFC könnten fast unbemerkt gefährliche Apps auf Android-Geräte gelangen. Betroffen sind Android 8, 9 und 10. Es gibt Abhilfe. --------------------------------------------- https://heise.de/-4574396 ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WISE-PaaS/RMM ∗∗∗ --------------------------------------------- This advisory contains mitigations for path traversal, missing authorization, improper restriction of XML external entity reference, and SQL injection vulnerabilities in Advantech’s WISE-PaaS/RMM IoT device remote monitoring and management platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-304-01 ∗∗∗ Honeywell equIP Series IP Cameras ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper input validation vulnerability in Honeywells equIP series IP cameras. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-304-02 ∗∗∗ Honeywell equIP and Performance Series IP Cameras ∗∗∗ --------------------------------------------- This advisory contains mitigations for a missing authentication for critical function vulnerability in Honeywells equIP series and Performance series IP cameras. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-304-03 ∗∗∗ Honeywell equIP and Performance Series IP Cameras and Recorders ∗∗∗ --------------------------------------------- This advisory contains mitigations for an authentication bypass by capture-relay vulnerability in Honeywells equIP series and Performance series IP cameras and recorders. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-304-04 ∗∗∗ Watch Out IT Admins! Two Unpatched Critical RCE Flaws Disclosed in rConfig ∗∗∗ --------------------------------------------- If youre using the popular rConfig network configuration management utility to protect and manage your network devices, here we have an important and urgent warning for you. A cybersecurity researcher has recently published details and proof-of-concept exploits for two unpatched, critical remote code execution vulnerabilities in the rConfig utility, at least one of which could allow [...] --------------------------------------------- https://thehackernews.com/2019/11/rConfig-network-vulnerability.html ∗∗∗ Microsoft Office for Mac cannot properly disable XLM macros ∗∗∗ --------------------------------------------- The Microsoft Office for Mac option "Disable all macros without notification" enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. --------------------------------------------- https://kb.cert.org/vuls/id/125336/ ∗∗∗ Update verfügbar: MikroTik sichert Router gegen vier Schwachstellen ab ∗∗∗ --------------------------------------------- Schwachstellen in RouterOS lassen sich zu einer Exploit-Chain zusammenbauen. Gerätebesitzer sollten jetzt updaten. --------------------------------------------- https://heise.de/-4573749 ∗∗∗ Xcode: Lücken in Entwicklungsumgebung erlaubten beliebige Codeausführung ∗∗∗ --------------------------------------------- Zwei Lücken in der macOS-Entwicklungsumgebung Xcode vor Version 11.2 erlaubten die beliebige Programmcode-Ausführung – möglicherweise auch aus der Ferne. --------------------------------------------- https://heise.de/-4575632 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, sudo, and thunderbird), Debian (libarchive and qtbase-opensource-src), Oracle (php), Red Hat (php, rh-php71-php, and rh-php72-php), Scientific Linux (firefox and php), and SUSE (kernel and samba). --------------------------------------------- https://lwn.net/Articles/803651/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and qt5-webengine), CentOS (firefox and php), Fedora (file, java-latest-openjdk, nspr, nss, php, t1utils, and webkit2gtk3), Mageia (ansible, aspell, golang, libsoup, and libxslt), openSUSE (chromium and chromium, re2), Oracle (php), and Ubuntu (apport and file). --------------------------------------------- https://lwn.net/Articles/803785/ ∗∗∗ Synology-SA-19:36 PHP ∗∗∗ --------------------------------------------- CVE-2019-11043 allows remote attackers to execute arbitrary code via a susceptible version of PHP 7.2, or PHP 7.3. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_36 ∗∗∗ [remote] Microsoft Windows Server 2012 - Group Policy Security Feature Bypass ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47559 ∗∗∗ [remote] Microsoft Windows Server 2012 - Group Policy Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/47558 ∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator (CVE-2019-4442) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in PHP (CVE-2019-6978, CVE-2019-6977) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: IBM Navigator for i is affected by CVE-2019-4450 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-af… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in libssh2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a TCP SACK PANIC -Kernel vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerability in PHP. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-chassis-m… ∗∗∗ Security Bulletin: IBM Content Navigator is affected by a vulnerability in Apache Commons Beanutils (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Security Bulletin: IBM Navigator for i is affected by CVE-2019-4450 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-af… ∗∗∗ BIG-IP TMUI XSS vulnerability CVE-2019-6657 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22441651 ∗∗∗ BIG-IP AFM SQL injection vulnerability CVE-2019-6658 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21121741 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX263477 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2019
by Daily end-of-shift report 31 Oct '19

31 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-10-2019 18:00 − Donnerstag 31-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ EML attachments in O365 - a recipe for phishing, (Thu, Oct 31st) ∗∗∗ --------------------------------------------- Ive recently come across interesting behavior of Office 365 when EML files are attached to e-mail messages, which can be useful for any red teamers out there but which can potentially also make certain types of phishing attacks more successful. --------------------------------------------- https://isc.sans.edu/diary/rss/25474 ∗∗∗ Data URLs and HTML Entities in New WordPress Malware ∗∗∗ --------------------------------------------- Last week, an ongoing WordPress malware campaign started a new wave which included a variety of experimental injection types. Scripts as Data URLs The first type looks pretty similar to what we discussed in our recent post. However, instead of placing the code between the … tags, these injections have begun to embed them inline using a so called data URL notation in the src parameter. --------------------------------------------- https://blog.sucuri.net/2019/10/data-urls-and-html-entities-in-new-wordpres… ∗∗∗ MS-ISAC Releases EOS Software Report List ∗∗∗ --------------------------------------------- Original release date: October 30, 2019The Multi-State Information Sharing and Analysis Center (MS-ISAC) has released an end-of-support (EOS) software report list. Software that has reached its EOS date no longer receives security updates and patches from the vendor and is, therefore, susceptible to exploitation from security vulnerabilities. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/30/ms-isac-releases-e… ∗∗∗ 5th eHealth Security Conference: ENISA advises on cybersecurity for hospitals ∗∗∗ --------------------------------------------- ENISA, the EU Agency for Cybersecurity organised the 5th consecutive eHealth Security Conference in cooperation with the Spanish Authorities and the Centre for Information Security of Catalonia (CESICAT) on the 30th October in Barcelona. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/5th-ehealth-security-conference… ∗∗∗ Office 365 Users Targeted by Voicemail Scam Pages ∗∗∗ --------------------------------------------- Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious [...] --------------------------------------------- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/office-365-user… ∗∗∗ Ungenutzte E-Mail-Adressen ermöglichen Zugang zu persönlichen Konten ∗∗∗ --------------------------------------------- E-Mail-Adressen, die nicht mehr genutzt werden, werden oft neu vergeben. Wenn diese Adressen noch bei Social-Media-Konten, Gaming-Accounts, Online-Shops oder anderen Zugangsdaten hinterlegt sind, können sich die neuen BesitzerInnen Zugang zu diesen Konten verschaffen. Kriminelle nutzen das zu Betrugs- und Erpressungszwecken aus. --------------------------------------------- https://www.watchlist-internet.at/news/ungenutzte-e-mail-adressen-ermoeglic… ∗∗∗ Untitled Goose Game security hole could have allowed hackers to wreak havoc ∗∗∗ --------------------------------------------- The highly popular “Untitled Goose Game” has been found to be vulnerable to an attack that could allow hackers to run malicious code on your computer. --------------------------------------------- https://hotforsecurity.bitdefender.com/blog/untitled-goose-game-security-ho… ∗∗∗ Home & Small Office Wireless Routers Exploited to Attack Gaming Servers ∗∗∗ --------------------------------------------- Unit 42 researchers discovered an updated Gafgy variant that looks to infect home and small office WiFi routers of known commercial brands, like Zyxel, Huawei, and Realtek to attack gaming servers. More than 32,000 WiFi routers are potentially vulnerable to these exploits around the world. --------------------------------------------- https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-expl… ∗∗∗ Vorwarnung: Neue Webseite kommt nächste Woche ∗∗∗ --------------------------------------------- tl;dr: Nein, wir werden nächste Woche nicht gehackt, wir stellen nur eine neue Webseite online. --------------------------------------------- http://www.cert.at/services/blog/20191031121150-2561.html ===================== = Vulnerabilities = ===================== ∗∗∗ XSA-299 Security Vulnerability ∗∗∗ --------------------------------------------- IBM is aware of a reported XSA-299 security vulnerability (CVE-2019-18421) that potentially would permit an attacker from within a VSI to elevate privileges to that of the host.There are no known malicious exploits of this vulnerability, which potentially impacts the hypervisor.IBM is implementing updates to remediate this vulnerability. No downtime for clients is expected and no client action is necessary for IBM Cloud virtual servers. While we do not anticipate any issues with remediation, we [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/xsa-299-security-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (italc and python-ecdsa), Fedora (php and sudo), openSUSE (binutils and docker-runc), Oracle (thunderbird), Red Hat (firefox and sudo), SUSE (ardana-ansible, ardana-glance, ardana-horizon, ardana-input-model, ardana-manila, ardana-neutron, ardana-nova, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, galera-3, grafana, mariadb, mariadb-connector-c, novnc, openstack-cinder, openstack-glance, openstack-heat, [...] --------------------------------------------- https://lwn.net/Articles/803583/ ∗∗∗ XSA-303 - ARM: Interrupts are unconditionally unmasked in exception handlers ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-303.html ∗∗∗ XSA-302 - passed through PCI devices may corrupt host memory after deassignment ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-302.html ∗∗∗ XSA-301 - add-to-physmap can be abused to DoS Arm hosts ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-301.html ∗∗∗ XSA-299 - Issues with restartable PV type change operations ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-299.html ∗∗∗ XSA-298 - missing descriptor table limit checking in x86 PV emulation ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-298.html ∗∗∗ XSA-296 - VCPUOP_initialise DoS ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-296.html Next End-of-Day report: 2019-11-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2019
by Daily end-of-shift report 30 Oct '19

30 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-10-2019 18:00 − Mittwoch 30-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Paradise Ransomware Decryptor Gets Your Files Back for Free ∗∗∗ --------------------------------------------- A decryptor for the Paradise Ransomware has been released by Emsisoft that allows victims to decrypt their files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paradise-ransomware-decrypto… ∗∗∗ A1 warnt Android-Nutzer vor App, die Bankdaten stiehlt ∗∗∗ --------------------------------------------- Kunden sollten sich vor einer App mit dem Titel „Netztest“ in Acht nehmen. --------------------------------------------- https://futurezone.at/digital-life/a1-warnt-android-nutzer-vor-app-die-bank… ∗∗∗ Gewinnversprechen von Coca-Cola in Höhe von 1 Million US-Dollar ist Scam ∗∗∗ --------------------------------------------- Wenn Sie per E-Mail über einen Gewinn in Millionenhöhe benachrichtigt werden, handelt es sich um einen Betrugsversuch. Aktuell geben sich Kriminelle als Kommunikationsbeauftragte von Coca-Cola aus und informieren Sie über einen vermeintlichen Gewinn. Die Gewinnsumme wird im Austausch Ihrer persönlichen Daten und Ausweiskopien übermittelt. Vorsicht: Kriminelle versuchen an Ihr Geld zu kommen, stehlen Ihre Identität und missbrauchen sie für Straftaten in Ihrem [...] --------------------------------------------- https://www.watchlist-internet.at/news/gewinnversprechen-von-coca-cola-in-h… ===================== = Vulnerabilities = ===================== ∗∗∗ PHOENIX CONTACT Automation Worx Software Suite ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper input validation vulnerability in Phoenix Contacts Automation Worx Software Suite products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-302-01 ∗∗∗ Apple Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: October 30, 2019Content: Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/30/apple-releases-sec… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imapfilter, libvncserver, and pam-python), Fedora (tcpdump), Mageia (file, graphviz, kernel, and php, pcre2), openSUSE (nfs-utils), Red Hat (heketi and samba), Scientific Linux (thunderbird), SUSE (libtomcrypt, php7, and runc), and Ubuntu (apport, libarchive, libidn2, samba, and whoopsie). --------------------------------------------- https://lwn.net/Articles/803474/ ∗∗∗ Synology-SA-19:35 Samba ∗∗∗ --------------------------------------------- These vulnerabilities allow remote attackers to bypass security constraints via a susceptible version of DiskStation Manager (DSM), Synology Router Manager (SRM), and allow remote authenticated users to conduct denial-of-service attacks via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_35 ∗∗∗ Security Advisory - Two Heap Buffer Overflow Vulnerabilities in Broadcom WiFi Chipset Drivers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191030-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2019
by Daily end-of-shift report 29 Oct '19

29 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 28-10-2019 18:00 − Dienstag 29-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücke in EU-Authentifizierungssoftware (eIDAS Node) ∗∗∗ --------------------------------------------- SEC Consult identifizierte kritische Schwachstellen in eIDAS-Node, die es einem Angreifer ermöglichen könnten, sich als beliebiger EU-Bürger auszugeben. --------------------------------------------- https://www.sec-consult.com/blog/2019/10/sicherheitsluecke-in-eu-authentifi… ∗∗∗ File Inclusions: kleiner Programmierfehler, fatale Wirkung ∗∗∗ --------------------------------------------- Angriffe über File Inclusions sind vor allem in PHP und JSP nach wie vor möglich und können verheerende Folgen haben. --------------------------------------------- https://heise.de/-4570773 ∗∗∗ MikroTik Router Vulnerabilities Can Lead to Backdoor Creation ∗∗∗ --------------------------------------------- A chain of vulnerabilities in MikroTik routers could allow an attacker to gain a backdoor. The chain starts with DNS poisoning, goes on to downgrading the installed version of MikroTiks RouterOS software, and ends with enabling a backdoor. read more --------------------------------------------- https://www.securityweek.com/mikrotik-router-vulnerabilities-can-lead-backd… ∗∗∗ Achtung Abo-Falle: endlich-windelfrei.de & baby-endlich-schlafen.de ∗∗∗ --------------------------------------------- Die Websites endlich-windelfrei.de und baby-endlich-schlafen.de versprechen Eltern große Erleichterungen beim Abgewöhnen der Windel und Schlafenlegen der Kinder. Die Systeme „Endlich Schlaf für Ihr Baby“ und „Von der Windel zum Töpfchen – in nur 3 Tagen“ können um nur 1 Euro erworben werden. Doch Vorsicht: Der Kauf führt in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-abo-falle-endlich-windelfrei… ∗∗∗ Modern Wireless Tradecraft Pt I ∗∗∗ --------------------------------------------- The past few years have seen some exciting developments in the subtle art of forcing wireless devices to connect to malicious access points. We’ve seen the resurgence of karma-style attacks with Dominic White’s and Ian de Villiers’ work on MANA, as well George Chatzisofroniou’s Lure10 and Known Beacon attacks, which can be used to target devices that are immune to karma [1][2]. --------------------------------------------- https://posts.specterops.io/modern-wireless-attacks-pt-i-basic-rogue-ap-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Trend Micro schließt zwei Schwachstellen in Sicherheitssoftware für Windows ∗∗∗ --------------------------------------------- Patches für Apex One, OfficeScan und WFBS fixen zwei Schwachstellen. Trend Micro hat Exploit-Versuche beobachtet und rät zum zügigen Update. --------------------------------------------- https://heise.de/-4571304 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.0, php7.3, ruby-loofah, and spip), Fedora (proftpd), openSUSE (lz4 and sysstat), Red Hat (chromium-browser, jss, kernel, kernel-alt, kpatch-patch, pango, polkit, sudo, systemd, and thunderbird), SUSE (graphite-web, python3, and samba), and Ubuntu (php5, php7.0, php7.2, php7.3, and samba). --------------------------------------------- https://lwn.net/Articles/803381/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0005 ∗∗∗ --------------------------------------------- Date Reported: October 29, 2019 Advisory ID: WSA-2019-0005 CVE identifiers: CVE-2019-8625, CVE-2019-8674,CVE-2019-8707, CVE-2019-8719,CVE-2019-8720, CVE-2019-8726,CVE-2019-8733, CVE-2019-8735,CVE-2019-8763, CVE-2019-8768,CVE-2019-8769, CVE-2019-8771. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-8625 Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before2.26.0. Credit to Sergei Glazunov of Google Project Zero. Impact: Processing maliciously crafted [...] --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0005.html ∗∗∗ Unauthenticated Access to Modbus Interface in Carel pCOWeb HVAC ∗∗∗ --------------------------------------------- As part of its features, the Carel pCOWeb card exposes a Modbus interface to the network. By design, Modbus does not provide authentication, allowing to control the affected system. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-014/ ∗∗∗ Unsafe Storage of Credentials in Carel pCOWeb HVAC ∗∗∗ --------------------------------------------- The Carel pCOWeb card stores password hashes in the file "/etc/passwd",allowing privilege escalation by authenticated users. Additionally,plaintext copies of the passwords are stored. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2019-013/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - October 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ tcpdump vulnerability CVE-2018-14880 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56551263?utm_source=f5support&utm_mediu… ∗∗∗ Open Redirect Vulnerability Patched In Bridge Theme ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2019/10/open-redirect-vulnerability-patched-… ∗∗∗ PHOENIX CONTACT improper access control exists on FL NAT devices when using MAC-based port security ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-020 ∗∗∗ Samba: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0945 ∗∗∗ McAfee Total Protection: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0944 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2019
by Daily end-of-shift report 28 Oct '19

28 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-10-2019 18:00 − Montag 28-10-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Network traffic analysis for IR: Analyzing fileless malware ∗∗∗ --------------------------------------------- Fileless malware is malware authors’ response to traditional malware identification and analysis techniques. Many antiviruses operate by using signature-based analysis to identify malicious files on a computer. By ensuring that a malicious file is never saved on the filesystem, malware authors can make their attacks much more difficult to detect and [...] --------------------------------------------- https://resources.infosecinstitute.com/network-traffic-analysis-for-ir-anal… ∗∗∗ Steam-powered scammers ∗∗∗ --------------------------------------------- One of the most popular platforms among users (and hence cybercriminals) is Steam, and we’ve been observing money-making schemes to defraud its users for quite some time. Since June, however, such attacks have become more frequent and, compared to previous attempts, far more sophisticated. --------------------------------------------- https://securelist.com/steam-powered-scammers/94553/ ∗∗∗ Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise ∗∗∗ --------------------------------------------- Experts on demand is now generally available and gives customers direct access to real-life Microsoft threat analysts to help with their security investigations. --------------------------------------------- https://www.microsoft.com/security/blog/2019/10/28/experts-on-demand-your-d… ∗∗∗ Using scdbg to Find Shellcode, (Sun, Oct 27th) ∗∗∗ --------------------------------------------- I've written a couple of diary entries about scdbg, a Windows 32-bit shellcode emulator. --------------------------------------------- https://isc.sans.edu/diary/rss/25460 ∗∗∗ VB2019 paper: Inside Magecart: the history behind the covert card-skimming assault on the e-commerce industry ∗∗∗ --------------------------------------------- Today we publish the VB2019 paper by RiskIQ researcher Yonathan Klijnsma, who looked at the Magecart web-skimming attacks. --------------------------------------------- https://www.virusbulletin.com:443/blog/2019/10/vb2019-paper-inside-magecart… ∗∗∗ Ouroboros Ransomware decryption tool ∗∗∗ --------------------------------------------- Ouroboros ransomware has been around for more than a year in various forms, operated by different cybercrime groups. Ouroboros, known to spread via Remote Desktop Protocol bruteforce attacks and deceptive downloads, has claimed a significant number of victims worldwide. We’re now happy to announce the availability of a new decryptor that can restore the .Lazarus, and .Lazarus+ file extensions to their original, unencrypted form. --------------------------------------------- https://labs.bitdefender.com/2019/10/ouroboros-ransomware-decryption-tool/ ∗∗∗ New Ransomware CCryptor struck, which can encrypt 362 file types ∗∗∗ --------------------------------------------- Recently, 360 Security Center captured a new type of ransomware CCryptor. The attacker spread the virus by delivering phishing emails, and the CVE-2017-11882 vulnerability was [...] --------------------------------------------- https://blog.360totalsecurity.com/en/new-ransomware-ccryptor-struck-which-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Updates für PHP7: NGINX-Server mit PHP-FPM waren aus der Ferne angreifbar ∗∗∗ --------------------------------------------- Betreiber eines NGINX-Webservers mit PHP-FPM sollten zügig updaten: Aktuelle PHP-Versionen schließen eine Lücke, für die es Exploit-Code gibt. --------------------------------------------- https://heise.de/-4570800 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, firefox, php, and thunderbird), Debian (file, golang-1.11, libarchive, libxslt, mosquitto, php5, and proftpd-dfsg), Fedora (apache-commons-compress, chromium, java-1.8.0-openjdk, java-11-openjdk, jss, kernel, kernel-headers, kernel-tools, libpcap, mod_auth_openidc, tcpdump, and xpdf), openSUSE (kernel, openconnect, procps, python, sysstat, and zziplib), and SUSE (binutils, docker-runc, ImageMagick, nfs-utils, and xen). --------------------------------------------- https://lwn.net/Articles/803318/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2019
by Daily end-of-shift report 25 Oct '19

25 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-10-2019 18:00 − Freitag 25-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Vendor Email Compromise (VEC): The Classic Business Email Compromise (BEC) Scheme with a Spin ∗∗∗ --------------------------------------------- A new email fraud scheme has taken Business Email Compromise (BEC) to a whole new level of sophistication. The recently discovered type of email scam has been dubbed Vendor Email Compromise (VEC) and as its name suggests, the attackers prey on employees working at vendor companies. --------------------------------------------- https://heimdalsecurity.com/blog/vendor-email-compromise-vec/ ∗∗∗ ACSC Releases Advisory on Emotet Malware Campaign ∗∗∗ --------------------------------------------- Original release date: October 25, 2019The Australian Cyber Security Centre (ACSC) has released an advisory on an ongoing, widespread Emotet malware campaign. Emotet is a Trojan—commonly spread via malicious email attachments—that attempts to proliferate within a network by brute forcing user credentials and writing to shared drives. ACSC provides indicators of compromise (IOCs) and recommendations to help organizations defend against Emotet malware. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/25/acsc-releases-advi… ∗∗∗ Your smart doorbell may be collecting more data than you think, study finds ∗∗∗ --------------------------------------------- The study tested 81 IoT devices to analyze their behavior and tracking habits, and in some cases brought rather surprising findings The post Your smart doorbell may be collecting more data than you think, study finds appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2019/10/25/iot-smart-doorbell-collecting-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ Urgent security issue in NGINX/php-fpm ∗∗∗ --------------------------------------------- [...] a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you. --------------------------------------------- https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/ ∗∗∗ Philips IntelliSpace Perinatal ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for an exposure of resource to wrong sphere vulnerability in Philips’ IntelliSpace Perinatal obstetrics information management system. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-297-01 ∗∗∗ Rittal Chiller SK 3232-Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for a missing authentication for critical function and use of hard-coded vulnerabilities in Rittals Chiller SK 3232-series IT application cooler. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-297-01 ∗∗∗ Honeywell IP-AK2 ∗∗∗ --------------------------------------------- This advisory contains mitigations for a missing authentication for critical function vulnerability in Honeywells IP-AK2 access control panels. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-297-02 ∗∗∗ VMSA-2019-0019 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation and Fusion updates address a denial-of-service vulnerability (CVE-2019-5536) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0019.html ∗∗∗ VMSA-2019-0018 ∗∗∗ --------------------------------------------- VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions (CVE-2019-5537, CVE-2019-5538) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0018.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Gentoo (php), Oracle (firefox), Scientific Linux (sudo), and SUSE (accountsservice, binutils, nfs-utils, and xen). --------------------------------------------- https://lwn.net/Articles/803158/ ∗∗∗ Mattermost security update 5.16.1 / 5.15.2 / 5.14.5 / 5.9.6 (ESR) released ∗∗∗ --------------------------------------------- We have released a recommended security update via Mattermost Team Edition 5.16.1, 5.15.2, 5.14.5, 5.9.6 (ESR) and Mattermost Enterprise Edition 5.16.1, 5.15.2, 5.14.5, 5.9.6 (ESR). This security update addresses a high level vulnerability discovered during a security research review by Roman Shchekin. Follow the standard upgrade instructions to apply the updates. --------------------------------------------- https://mattermost.com/blog/mattermost-security-update-5-16-1-5-15-2-5-14-5… ∗∗∗ 2019-10-22: Vulnerability in Relion® 650 series and Relion® 670 series - Terminal Reboot ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9256&Lan… ∗∗∗ 2019-10-22: Vulnerability in Relion® 670 series - MMS Path Traversal ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9255&Lan… ∗∗∗ 2019-10-22: Vulnerabilities in Relion® 650 series version 2.1 and Relion® 670 series version 2.1 - OpenSSL ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9254&Lan… ∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal(V5) is impacted by a a confidential information leak(CVE-2019-4600) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve… ∗∗∗ IBM Security Bulletin: IBM Maximo Health, Safety, and Environment Manager Installation Gives Application Access to Non-Authorized Users (CVE-2019-4546) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-health-saf… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of a Broken or Risky Cryptographic Algorithm vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Cleartext Transmission of Sensitive Information vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Missing Cookie Secure Attribute vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Hazardous Input Validation vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of a One-Way Hash without a Salt vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by an Information Exposure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Use of Hard-coded Credentials vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Missing Authentication for Critical Function vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2019
by Daily end-of-shift report 24 Oct '19

24 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-10-2019 18:00 − Donnerstag 24-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Your Supply Chain Doesnt End At Receiving: How Do You Decommission Network Equipment?, (Thu, Oct 24th) ∗∗∗ --------------------------------------------- Trying to experiment with cutting edge security tools, without breaking the bank, often leads me to used equipment on eBay. High-end enterprise equipment is usually available at a bargain-basement price. For experiments or use in a home/lab network, I am willing to take the risk to receive the occasional "dud," and I usually can do without the support and other perks that come with equipment purchased full price. --------------------------------------------- https://isc.sans.edu/diary/rss/25448 ∗∗∗ Windows Debugging & Exploiting Part 1 - Environment Setup ∗∗∗ --------------------------------------------- In this blog series, I will try to set some base knowledge for Windows system debugging & exploitation and present how to setup an environment for remote kernel debugging. This environment will be useful for learning Windows internals and indispensable for our future posts about its exploitation. About Windows internals, I really recommend the training from Pavel Yosifovich on Pluralsight that will expand your familiarity with the system if you are new to the topic. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/windows-deb… ∗∗∗ Warnung vor Handybezahlfalle auf Facebook ∗∗∗ --------------------------------------------- Bei der Rundfunk und Telekom Regulierungs-GmbH (RTR) häufen sich derzeit Beschwerden über unerwartet hohe Handyrechnungen. Die Betroffenen wurden über Facebook in eine Handyfalle gelockt. Sie tätigten unwissentlich teure Einkäufe, die dann über ihr Handy bezahlt wurden. --------------------------------------------- https://help.orf.at/stories/2993419/ ∗∗∗ Android Adware‑Entwickler aufgespürt ∗∗∗ --------------------------------------------- ESET-Forscher beschreiben, wie sie eine einjährige Adware-Kampagne bei Google Play entdeckten, die Millionen von Usern beeinträchtigte. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/10/24/android-adware-entwickler… ∗∗∗ Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey ∗∗∗ --------------------------------------------- ATLANTA — SECURITYWEEK 2019 ICS CYBER SECURITY CONFERENCE — Some of the recent cybersecurity incidents involving industrial control systems (ICS) have resulted in injury and even loss of life, according to a survey conducted by Control Systems Cyber Security Association International (CS2AI). --------------------------------------------- https://www.securityweek.com/some-ics-security-incidents-resulted-injury-lo… ∗∗∗ Führerscheine legal online kaufen? Mitnichten! ∗∗∗ --------------------------------------------- KonsumentInnen, die sich im Internet über den Führerschein informieren, stoßen womöglich auch auf Websites wie billigerfuehrerschein.com oder fuhrerschein-online.com. Die betrügerischen Websites werben mit dem legalen Verkauf von Führerscheinen ohne Fahr- und Theorieprüfungen. Achtung: Sowohl die Herstellung als auch die Nutzung derartiger Dokumente ist illegal, es kommt zu keiner Lieferung und bezahltes Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fuehrerscheine-legal-online-kaufen-m… ∗∗∗ Practical Behavioral Profiling of PowerShell Scripts through Static Analysis (Part 2) ∗∗∗ --------------------------------------------- Part 2 of a 3-part blog series that offers a more technical perspective and begins looking at common obfuscation techniques and methods for hiding data within PowerShell that can be reversed. --------------------------------------------- https://unit42.paloaltonetworks.com/practical-behavioral-profiling-of-power… ===================== = Vulnerabilities = ===================== ∗∗∗ EOL D-Link Routers Vulnerable to Remote Command Execution ∗∗∗ --------------------------------------------- Original release date: October 24, 2019The CERT Coordination Center (CERT/CC) has released information on a vulnerability (CVE-2019-16920) affecting multiple D-Link routers. A remote attacker could exploit this vulnerability to take control of an affected device.D-Link no longer provides support to the affected end-of-life (EOL) devices, and updates will not be made available. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/10/24/eol-d-link-routers… ∗∗∗ SYSS-2019-009, SYSS-2019-010 und SYSS-2019-011: Schwachstellen in weiterer Funktastatur mit "sicherer" 2,4-GHz-Technologie ∗∗∗ --------------------------------------------- SySS IT-Sicherheitsexperte Matthias Deeg fand im Rahmen eines Forschungsprojekts zu drahtlosen Eingabegeräten (siehe auch 1 und 2) drei Sicherheitsschwachstellen im Fujitsu Wireless Keyboard Set LX390. Diese drei Schwachstellen betreffen einen fehlenden Schutz vor Replay-Angriffen, eine fehlende Verschlüsselung von per Funkkommunikation übertragenen sensiblen Daten und die Möglichkeit für Keystroke Injection-Angriffe. --------------------------------------------- https://www.syss.de/pentest-blog/2019/syss-2019-009-syss-2019-010-und-syss-… ∗∗∗ Sicherheitspatches: Angreifer könnten mit Admin-Rechten auf Junos OS zugreifen ∗∗∗ --------------------------------------------- Die Entwickler des Betriebssystems für Netzwerkgeräte Junos OS haben eine gefährliche Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-4567444 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (file), Mageia (bind, chromium-browser-stable, java-1.8.0-openjdk, libsndfile, mediawiki, and virtualbox), Oracle (firefox), Red Hat (firefox and sudo), Scientific Linux (firefox and OpenAFS), SUSE (kernel, lz4, rust, and xen), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/803068/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in MongoDB server affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2019-10197) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-sa… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM i HTTP Server affect IBM i. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud (CVE-2019-4304, CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ libcurl vulnerability CVE-2018-16890 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03314397 ∗∗∗ Linux kernel vulnerability CVE-2019-15916 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K57418558 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2019
by Daily end-of-shift report 23 Oct '19

23 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-10-2019 18:00 − Mittwoch 23-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VB2019 papers: Emotet and Ryuk ∗∗∗ --------------------------------------------- Today we publish VB2019 papers by Luca Nagy (Sophos) on Emotet and Gabriela Nicolao and Luciano Martins (Deloitte) on Ryuk, as well as the corresponding videos of their presentations. --------------------------------------------- https://www.virusbulletin.com:443/blog/2019/10/vb2019-papers-emotet-and-ryu… ∗∗∗ CPDoS: Cache Poisoned Denial of Service ∗∗∗ --------------------------------------------- Cache-Poisoned Denial-of-Service (CPDoS) is a new class of web cache poisoning attacks aimed at disabling web resources and websites. --------------------------------------------- https://cpdos.org/ ∗∗∗ Tech, Security Firms Launch Operational Technology Cyber Security Alliance ∗∗∗ --------------------------------------------- Several major tech and cybersecurity companies have joined forces for a new initiative called the Operational Technology Cyber Security Alliance (OTCSA), which aims to help industrial and critical infrastructure organizations address challenges related to OT security by providing guidance and resources. --------------------------------------------- https://www.securityweek.com/tech-security-firms-launch-operational-technol… ∗∗∗ Investment-Firmen fordern Zugriff auf Ihr System? Nehmen Sie Abstand! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor Investments bei unseriösen Firmen wie aurumpro.co beziehungsweise Muller Enterprise LTD in Acht. Angebliche BeraterInnen kontaktieren Sie telefonisch und verleiten Sie zu immer höheren Investments. Um "effektiver" handeln zu können, verlangt man die Installation von Fernwartungssoftware wie AnyDesk oder TeamViewer. Tun Sie dies nicht und nehmen Sie Abstand – man hat es auf Ihr Vermögen abgesehen! --------------------------------------------- https://www.watchlist-internet.at/news/investment-firmen-fordern-zugriff-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Schneider Electric ProClima ∗∗∗ --------------------------------------------- This advisory contains mitigations for code injection, improper restriction of operations within the bounds of a memory buffer, and uncontrolled search path element vulnerabilities in Schneider Electrics ProClima building and automation control products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-295-01 ∗∗∗ Firefox, Chrome Bugs Allow Arbitrary Code-Execution ∗∗∗ --------------------------------------------- Multiple critical memory safety bugs in Firefox 69 and Firefox ESR 68.1 in particular affect medium and large government entities and enterprises. --------------------------------------------- https://threatpost.com/critical-firefox-bugs-arbitrary-code-execution/14945… ∗∗∗ OpenAFS Security Advisory 2019-001 ∗∗∗ --------------------------------------------- Topic: information leakage from uninitialized RPC output variables on error Issued: 22 October, 2019 Affected: OpenAFS versions 1.0 through 1.6.23, and 1.8.0 through 1.8.4 --------------------------------------------- http://openafs.org/pages/security/OPENAFS-SA-2019-001.txt ∗∗∗ OpenAFS Security Advisory 2019-002 ∗∗∗ --------------------------------------------- Topic: information leakage from uninitialized scalars Issued: 22 October, 2019 Affected: OpenAFS versions 1.0 through 1.6.23, and 1.8.0 through 1.8.4 --------------------------------------------- http://openafs.org/pages/security/OPENAFS-SA-2019-002.txt ∗∗∗ OpenAFS Security Advisory 2019-003 ∗∗∗ --------------------------------------------- Topic: database server crash from unserialized data access Issued: 22 October, 2019 Affected: OpenAFS versions 1.0 through 1.6.23, and 1.8.0 through 1.8.4 --------------------------------------------- http://openafs.org/pages/security/OPENAFS-SA-2019-003.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (go, go-pie, pacman, and xpdf), CentOS (java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, and patch), openSUSE (gcc7), Red Hat (firefox, kernel, and qemu-kvm-rhev), Slackware (mozilla), SUSE (kernel, libcaca, openconnect, python, sysstat, and zziplib), and Ubuntu (libxslt, linux-azure, and linux-lts-xenial, linux-aws). --------------------------------------------- https://lwn.net/Articles/802941/ ∗∗∗ Avast, Avira Products Vulnerable to DLL Hijacking ∗∗∗ --------------------------------------------- Vulnerabilities in Avast Antivirus, AVG Antivirus, and Avira Antivirus could allow an attacker to load a malicious DLL file in an effort to bypass defenses and escalate privileges, SafeBreach Labs security researchers discovered. read more --------------------------------------------- https://www.securityweek.com/avast-avira-products-vulnerable-dll-hijacking ∗∗∗ Security Advisory - Out-Of-Bound Read Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191023-… ∗∗∗ Security Advisory - Insufficient Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191023-… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191023-… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2019-1547, CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Commons Beanutils affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-10086) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-apac… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4486) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-maximo-asset-mana… ∗∗∗ IBM Security Bulletin: A security vulnerability affects IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition (CVE-2019-4398) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition is affected by ASoC vulnerability (CVE-2019-4459) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-orchestrato… ∗∗∗ IBM Security Bulletin: A security vulnerability affects IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition (CVE-2019-4397) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by glibc vulnerabilities (CVE-2018-20796, CVE-2019-9169) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ BIND vulnerability CVE-2018-5743 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74009656 ∗∗∗ BIG-IP vulnerability CVE-2018-15333 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53620021 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2019
by Daily end-of-shift report 22 Oct '19

22 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Montag 21-10-2019 18:00 − Dienstag 22-10-2019 18:00 Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Three Service Account Secrets Straight from Hackers and Security Pros ∗∗∗ --------------------------------------------- A survey of nearly 300 Black Hat conference attendees this year showed strong agreement that service accounts are an attractive target. --------------------------------------------- https://threatpost.com/service-account-secrets/148996/ ∗∗∗ MISP Summit 0x05 Wrap-Up ∗∗∗ --------------------------------------------- I’m in Luxembourg for a full week of infosec events. It started today with the MISP summit. It was already the fifth edition and, based on the number of attendees, the tool is getting more and more popularity. --------------------------------------------- https://blog.rootshell.be/2019/10/21/misp-summit-0x05-wrap-up/ ∗∗∗ emotet_network_protocol ∗∗∗ --------------------------------------------- This repository has been created with the idea of helping the community of cybersecurity researchers and malware researchers. It explains in detail how the network communication protocol used by Emotet to communicate with the C&Cs works. Knowing all these details, it should be relatively easy to emulate the communication, and obtain the new modules and distributed malware directly from the c&c. --------------------------------------------- https://d00rt.github.io/emotet_network_protocol/ ∗∗∗ Avast, NordVPN Breaches Tied to Phantom User Accounts ∗∗∗ --------------------------------------------- Antivirus and security giant Avast and virtual private networking (VPN) software provider NordVPN each today disclosed months-long network intrusions that -- while otherwise unrelated -- shared a common cause: Forgotten or unknown user accounts that granted remote access to internal systems with little more than a password. --------------------------------------------- https://krebsonsecurity.com/2019/10/avast-nordvpn-breaches-tied-to-phantom-… ∗∗∗ The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT ∗∗∗ --------------------------------------------- Bread crumbs left behind open up a possible connection between Magecart Group 5 and Carbanak. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-… ∗∗∗ Malspam Campaign Targeted German Organizations with Buran Ransomware ∗∗∗ --------------------------------------------- Researchers spotted a malspam campaign that targeted German organizations with samples of the Buran crypto-ransomware family. In early October, Bromium observed a malspam campaign whose emails impersonated online fax service eFax. The emails contained hyperlinks to a PHP page that served up malicious Word documents. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/malspam… ∗∗∗ genosyla.net und versandhaus-voss.de liefern keine Ware ∗∗∗ --------------------------------------------- Bei genosyla.net und versandhaus-voss.de finden Sie günstige Elektrogeräte. Viele Produkte sind im Schnitt 100 Euro billiger als bei anderen Shops. Der Haken: die Ware wird trotz Bezahlung nie geliefert. Es handelt sich um betrügerische Webshops. Sie verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/genosylanet-und-versandhaus-vossde-l… ∗∗∗ Browser-based attacks, our customers, and us ∗∗∗ --------------------------------------------- While some browser-based attacks such as web skimming steal customer data and thus victimize both the organization and the users, other attacks leverage an organizations website to attack the customers or to attack another organization entirely. --------------------------------------------- https://www.zdnet.com/article/browser-based-attacks-our-customers-and-us/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (jss and kernel), Debian (libpcap, openjdk-8, and tcpdump), Fedora (java-11-openjdk), openSUSE (libreoffice), Oracle (java-1.7.0-openjdk), Red Hat (java-1.7.0-openjdk, python, and wget), Scientific Linux (java-1.7.0-openjdk), SUSE (ceph, ceph-iscsi, ses-manual_en, dhcp, openconnect, and procps), and Ubuntu (exiv2, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, [...] --------------------------------------------- https://lwn.net/Articles/802863/ ∗∗∗ ZDI-19-908: Foxit Studio Photo JPEG Batch Processing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-908/ ∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-bulletin-ibm… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2019
by Daily end-of-shift report 21 Oct '19

21 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-10-2019 18:00 − Montag 21-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Avast Network Breached As Hackers Target CCleaner Again ∗∗∗ --------------------------------------------- Avast said it believes that threat actors are again looking to target CCleaner in a supply chain attack. --------------------------------------------- https://threatpost.com/avast-network-breached-as-hackers-target-ccleaner-ag… ∗∗∗ Attention: Your blog may be used to spread the Emotet Trojan! ∗∗∗ --------------------------------------------- Emotet was originally a banking Trojan that targeted bank customers in Europe and stole relevant bank credentials. In 2017, Emotet changed its business model from [...] --------------------------------------------- https://blog.360totalsecurity.com/en/attention-your-blog-may-be-used-to-spr… ∗∗∗ Winnti Group’s skip‑2.0: A Microsoft SQL Server backdoor ∗∗∗ --------------------------------------------- Notorious cyberespionage group debases MSSQL --------------------------------------------- https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sq… ===================== = Vulnerabilities = ===================== ∗∗∗ Linux: Kritische Zeroday-Lücke im WLAN-Treiber ∗∗∗ --------------------------------------------- Mit speziell präparierten WLAN-Paketen könnten Angreifer Linux-Systeme kapern, die Realtek-Chips einsetzen. --------------------------------------------- https://heise.de/-4562505 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aspell, graphite-web, imagemagick, mediawiki, milkytracker, nfs-utils, and openjdk-11), Fedora (kernel, kernel-headers, kernel-tools, mediawiki, and radare2), openSUSE (dhcp, libpcap, lighttpd, and tcpdump), Scientific Linux (java-1.8.0-openjdk), Slackware (python), SUSE (bluez, kernel, and python-xdg), and Ubuntu (aspell). --------------------------------------------- https://lwn.net/Articles/802776/ ∗∗∗ AVM FRITZ!OS: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/10/warn… ∗∗∗ Trend Micro Anti-Threat Toolkit (ATTK) < = v1.62.0.1218 Remote Code Execution 0day ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019100137 ∗∗∗ IBM Security Bulletin: Version 8.15.0 of Node.js included in IBM Cloud Event Management 2.3.0 has several security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-version-8-15-0-of-nod… ∗∗∗ IBM Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition is affected by HTTP Server vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-orchestrato… ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise (CVE-2018-1996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ Linux kernel vulnerability CVE-2019-16089 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03814795?utm_source=f5support&utm_mediu… ∗∗∗ Linux kernel vulnerability CVE-2019-15666 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53420251?utm_source=f5support&utm_mediu… ∗∗∗ Authentication Bypass Vulnerability in the Management Interface of Citrix Application Delivery Controller and Citrix Gateway ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX261055 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2019
by Daily end-of-shift report 18 Oct '19

18 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-10-2019 18:00 − Freitag 18-10-2019 18:00 Handler: n/a Co-Handler: n/a ===================== = News = ===================== ∗∗∗ STOP Ransomware Decryptor Released for 148 Variants ∗∗∗ --------------------------------------------- The release of Emsisofts STOP Ransomware decryption service is a huge achievement and will be a life saver for both the victims and the helpers on BleepingComputer. It should be noted, though, that while this decryptor can help with the majority of STOP variants, anyone who was infected after August 2019 cannot be helped. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stop-ransomware-decryptor-re… ∗∗∗ REvil Ransomware Affiliates Partner with Corporate Intruders ∗∗∗ --------------------------------------------- Experienced network intruders and ransomware groups have struck an alliance helping each other monetize their skills by spreading malware to company networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-affiliates-… ∗∗∗ Ordinypt: Resurgence ∗∗∗ --------------------------------------------- Recently, the Ordinypt malware has seen a resurgence in the wild, disguised as fake job applications sent via email to human resource departments in German companies. The malware uses social engineering to infect the user’s files and trick them into paying cryptocurrency to restore the infected files. --------------------------------------------- https://www.gdatasoftware.com/blog/2019/10/35358-resurgence ∗∗∗ Quick Malicious VBS Analysis, (Fri, Oct 18th) ∗∗∗ --------------------------------------------- Lets have a look at a VBS sample found yesterday. It started as usual with a phishing email that contained a link to a malicious ZIP archive. This technique is more and more common to deliver the first stage via a URL because it reduces the risk to have the first file blocked by classic security controls. --------------------------------------------- https://isc.sans.edu/diary/rss/25430 ∗∗∗ Fake UpdraftPlus Plugins ∗∗∗ --------------------------------------------- We often find various fake WordPress plugins installed by hackers during website cleanups. Recently, we’ve noticed a new wave of infections that install fake plugins with backdoor functionality. --------------------------------------------- https://blog.sucuri.net/2019/10/fake-updraftplus-plugins.html ∗∗∗ Samsung to patch S10 fingerprint sensor bug next week ∗∗∗ --------------------------------------------- Samsung promises software patch next week; recommends not using custom screen covers in the meantime. --------------------------------------------- https://www.zdnet.com/article/samsung-to-patch-s10-fingerprint-sensor-bug-n… ===================== = Vulnerabilities = ===================== ∗∗∗ AVEVA Vijeo Citect and Citect SCADA ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in the AVEVA Vijeo Citect and Citect SCADA. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-290-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- This advisory contains mitigations for improper input validation and out-of-bounds write vulnerabilities in Horner Automations Cscape control system application programming software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-290-02 ∗∗∗ VMSA-2019-0017 ∗∗∗ --------------------------------------------- VMware SD-WAN by VeloCloud update addresses information disclosure vulnerability (CVE-2019-5533) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0017.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (poppler, sudo, and wordpress), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and kernel), and SUSE (kernel and postgresql10). --------------------------------------------- https://lwn.net/Articles/802622/ ∗∗∗ Synology-SA-19:34 WordPress ∗∗∗ --------------------------------------------- These vulnerabilities allow remote attackers to inject arbitrary web script or HTML, obtain sensitive information, or access intranet resources via a susceptible version of WordPress. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_34 ∗∗∗ InfoZIP vulnerability CVE-2019-13232 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K80311892 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2019
by Daily end-of-shift report 17 Oct '19

17 Oct '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-10-2019 18:00 − Donnerstag 17-10-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 10 Steps for Ransomware Protection ∗∗∗ --------------------------------------------- Here are things you can do right now to shore up your defenses and help your recovery when you get hit. --------------------------------------------- https://threatpost.com/10-steps-ransomware-protection/149259/ ∗∗∗ Betrüger übernehmen alte E-Mail-Adressen ∗∗∗ --------------------------------------------- Das Bundeskriminalamt (BKA) warnt vor missbräuchlicher Verwendung alter E-Mail-Adressen. Betrüger würden sich länger nicht genutzte E-Mail-Adressen aneignen, um damit Zugang zu persönlichen Nutzerkonten zu erlangen, so das BKA. Gaming Accounts und Nutzerkonten in Sozialen Medien seien besonders betroffen. --------------------------------------------- https://help.orf.at/stories/2993027/ ∗∗∗ l+f: Leise rieselt der Crypto-Miner ∗∗∗ --------------------------------------------- Forscher entdecken Crypto-Miner und Backdoors, die sich in WAV-Dateien verstecken. --------------------------------------------- https://heise.de/-4558856 ∗∗∗ Cisco fixes serious flaws in enterprise-grade Catalyst and Aironet access points ∗∗∗ --------------------------------------------- Cisco has released another batch of security updates, the most critical of which fixes a vulnerability that could allow unauthenticated, remote attackers to gain access to vulnerable Cisco Aironet wireless access points. Cisco Aironet APs are enterprise-grade access points used for branch offices, campuses, organizations of all sizes, enterprise and carrier-operator Wi-Fi deployments, and so on. --------------------------------------------- https://www.helpnetsecurity.com/2019/10/17/cisco-aironet-vulnerabilities/ ∗∗∗ KRACK‑Sicherheitslücke in Alexa Smart Home Geräten ∗∗∗ --------------------------------------------- Das ESET Smart Home Research Team entdeckte KRACK-Sicherheitslücken in einigen Amazon Echo- und Kindle-Geräten. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/10/17/krack-sicherheitsluecke-a… ∗∗∗ Werbung für betrügerische Elektriker auf Google ∗∗∗ --------------------------------------------- Wenn zu Hause der Strom ausfällt, verschafft oft nur eine Fachkraft Abhilfe. Die Suche über Google am Smartphone liegt dabei natürlich nahe. Doch Vorsicht: Die Gefahr, über die Anzeigen auf unseriöse Angebote zu stoßen, ist hoch! Opfer landen beispielsweise auf elektriker-mg.at, elektriker-dienst.at oder elektriker.24std.expert, wo die großen Versprechen in schlechter Arbeit zu horrenden Preisen münden. --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-betruegerische-elektrik… ===================== = Vulnerabilities = ===================== ∗∗∗ Dangerous Kubernetes Bugs Allow Authentication Bypass, DoS ∗∗∗ --------------------------------------------- The flaws in the container technology, CVE-2019-16276 and CVE-2019-11253, are simple to exploit. --------------------------------------------- https://threatpost.com/kubernetes-bugs-authentication-bypass-dos/149265/ ∗∗∗ Security updates available in Foxit Reader 9.7, Foxit PhantomPDF 9.7 and Foxit PhantomPDF Mac 3.4 ∗∗∗ --------------------------------------------- Foxit has released Foxit Reader 9.7 and Foxit PhantomPDF 9.7, which addresses potential security and stability issues. Foxit has released Foxit PhantomPDF Mac 3.4, which addresses potential security and stability issues. --------------------------------------------- https://www.foxitsoftware.com/support/security-bulletins.php ∗∗∗ VMSA-2019-0017 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, Fusion, VMRC and Horizon Client updates address use-after-free and denial of service vulnerabilities. (CVE-2019-5527, CVE-2019-5535) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (sudo), Debian (libsdl1.2 and libsdl2), Mageia (e2fsprogs, kernel, libpcap and tcpdump, nmap, and sudo), openSUSE (GraphicsMagick and sudo), Oracle (java-1.8.0-openjdk, java-11-openjdk, jss, and kernel), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (jss), SUSE (gcc7 and libreoffice), and Ubuntu (leading to a double-free, libsdl1.2, and tiff). --------------------------------------------- https://lwn.net/Articles/802537/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/10/warn… ∗∗∗ CyberArk Password Vault 10.6 Authentication Bypass ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019100114 ∗∗∗ Booking and Availability Management Tools for Drupal - Moderately critical - Access Bypass - SA-CONTRIB-2019-074 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2019-074 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ Vim/Neovim vulnerability CVE-2019-12735 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K93144355?utm_source=f5support&utm_mediu… ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0924 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily