- Daily - CERT.at

Tageszusammenfassung - 28.02.2020
by Daily end-of-shift report 28 Feb '20

28 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-02-2020 18:00 − Freitag 28-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Nemty Ransomware Actively Distributed via Love Letter Spam ∗∗∗ --------------------------------------------- Security researchers have spotted an ongoing malspam campaign using emails disguised as messages from secret lovers to deliver Nemty Ransomware payloads on the computers of potential victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nemty-ransomware-actively-di… ∗∗∗ Site Takeover Campaign Exploits Multiple Zero-Day Vulnerabilities ∗∗∗ --------------------------------------------- Early yesterday, the Flexible Checkout Fields for WooCommerce plugin received a critical update to patch a zero-day vulnerability which allowed attackers to modify the plugin’s settings. As our Threat Intelligence team researched the scope of this attack campaign, we discovered three additional zero-day vulnerabilities in popular WordPress plugins that are being exploited as a part of this [...] --------------------------------------------- https://www.wordfence.com/blog/2020/02/site-takeover-campaign-exploits-mult… ∗∗∗ Ghostcat bug impacts all Apache Tomcat versions released in the last 13 years ∗∗∗ --------------------------------------------- Ghostcat vulnerability can allow hackers to read configuration files or plant backdoors on Tomcat servers. --------------------------------------------- https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versio… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.7.0-openjdk and ppp), Debian (libimobiledevice, libusbmuxd, and pure-ftpd), Fedora (caddy, firejail, golang-github-gorilla-websocket, golang-vitess, hugo, mingw-libpng, php, and proftpd), openSUSE (chromium, enigmail, ipmitool, libsolv, libzypp, zypper, weechat, and yast2-rmt), Oracle (java-1.7.0-openjdk and ppp), Red Hat (java-1.7.0-openjdk and ppp), Scientific Linux (java-1.7.0-openjdk and ppp), and SUSE (java-1_8_0-ibm, kernel, mariadb, [...] --------------------------------------------- https://lwn.net/Articles/813543/ ∗∗∗ HPESBST03980 rev.1 - HPE StoreFabric C-series Switches with Cisco Prime Data Center Network Manager (DCNM), Remote Authentication Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ wpdefault - Backdoor Plugin ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10096 ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java SDK affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-2989, CVE-2020-2593 and CVE-2019-4732 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Apache Log4j vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Man in the middle vulnerability CVE-2014-3603 affects Websphere Liberty and OpenLiberty used by MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-man-in-the-middle-vulnera… ∗∗∗ Security Bulletin: Node.js vulnerabilities affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-vulnerabilities-a… ∗∗∗ Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerabilities in TCP (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management… ∗∗∗ Security Bulletin: WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4663 and CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Node.js handlebars vulnerabilities affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-handlebars-vulner… ∗∗∗ Security Bulletin: MobileFirst Platform Foundation is affected by WebSphere Application Server Liberty is affected by Apache Commons Compress vulnerability (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mobilefirst-platform-foun… ∗∗∗ Security Bulletin: Information disclosure vulnerability in WebSphere Application Server which is shipped with Jazz for Service Management (CVE-2019-4477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by Apache HTTP Server vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2020
by Daily end-of-shift report 27 Feb '20

27 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-02-2020 18:00 − Donnerstag 27-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Norton LifeLock Phishing Scam Installs Remote Access Trojan ∗∗∗ --------------------------------------------- Cybercriminals behind a recently observed phishing campaign used a clever ruse in the form of a bogus NortonLifelock document to fool victims into installing a remote access tool (RAT) that is typically used for legitimate purposes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/norton-lifelock-phishing-sca… ∗∗∗ RSAC 2020: Smart Baby Monitor Vulnerable to Remote Hackers ∗∗∗ --------------------------------------------- A popular baby monitor has been found riddled with vulnerabilities that give attackers full access to personal information and sensitive video footage. --------------------------------------------- https://threatpost.com/rsac-2020-another-smart-baby-monitor-vulnerable-to-r… ∗∗∗ Android malware can steal Google Authenticator 2FA codes ∗∗∗ --------------------------------------------- A new version of the "Cerberus" Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts. --------------------------------------------- https://www.zdnet.com/article/android-malware-can-steal-google-authenticato… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, ksh, python-pillow, and thunderbird), Debian (opensmtpd, proftpd-dfsg, and rake), Fedora (NetworkManager-ssh), openSUSE (chromium), and SUSE (libexif, mariadb, ovmf, python3, and squid). --------------------------------------------- https://lwn.net/Articles/813431/ ∗∗∗ Wireshark: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Wireshark ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0177 ∗∗∗ Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: SQL injection vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4479) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: IBM MQ certified container is vulnerable to multiple vulnerabilities within IBM MQ.(CVE-2019-4655, CVE-2019-4560, CVE-2019-4614, CVE-2019-4620) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-certified-containe… ∗∗∗ Security Bulletin: Vulnerability in OpenSLP affects Power Hardware Management Console (CVE-2019-5544) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openslp-… ∗∗∗ Security Bulletin: IBM MQ certified container is vulnerable to a denial of service vulnerability in golang (CVE-2019-17596) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-certified-containe… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2019 CPU (CVE-2019-2964,CVE-2019-2978,CVE-2019-2983,CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Bypass security restrictions in WAS Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bypass-security-restricti… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in OpenSSL and the Kernel shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.02.2020
by Daily end-of-shift report 26 Feb '20

26 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-02-2020 18:00 − Mittwoch 26-02-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Multiple WordPress Plugin Vulnerabilities Actively Being Attacked ∗∗∗ --------------------------------------------- One adversary security researchers call 'tonyredball' gets backdoor access to websites that run a vulnerable version of the following two plugins: * ThemeGrill Demo Importer (below 1.6.3) * Profile Builder free and Pro (below 3.1.1) --------------------------------------------- https://www.bleepingcomputer.com/news/security/multiple-wordpress-plugin-vu… ∗∗∗ Flaw in Billions of Wi-Fi Devices Left Communications Open To Eavesdropping ∗∗∗ --------------------------------------------- Eset, the security company that discovered the vulnerability, said the flaw primarily affects Cyperess' and Broadcom's FullMAC WLAN chips, which are used in billions of devices. Eset has named the vulnerability Kr00k, and it is tracked as CVE-2019-15126. Manufacturers have made patches available for most or all of the affected devices, but it's not clear how many devices have installed the patches. Of greatest concern are vulnerable wireless routers, which often go unpatched indefinitely. --------------------------------------------- https://mobile.slashdot.org/story/20/02/26/165207/flaw-in-billions-of-wi-fi… ∗∗∗ Silver & Golden Tickets Explained ∗∗∗ --------------------------------------------- This article clarifies the concepts of PAC, Silver Ticket, Golden Ticket, as well as the different encryption methods used in authentication. These notions are essential to understand Kerberos attacks in Active Directory. --------------------------------------------- https://en.hackndo.com/kerberos-silver-golden-tickets/ ∗∗∗ PayPal über Google Pay: Lücke noch immer nicht behoben – und wohl schlimmer als befürchtet ∗∗∗ --------------------------------------------- Eine Sicherheitslücke, die unautorisierte PayPal-Abbuchungen via Google Pay ermöglicht, ist laut ihrem Entdecker noch leichter ausnutzbar als zuvor angenommen. --------------------------------------------- https://heise.de/-4668350 ∗∗∗ HTTP Request Smuggling. A how-to ∗∗∗ --------------------------------------------- HTTP Request Smuggling is not a new issue, a 2005 white paper from Watchfire discusses it in detail and there are other resources too. What I found missing was practical, actionable, how-to references. This post covers my findings and, hopefully, sheds some light on the intricacies of HTTP Request Smuggling. --------------------------------------------- https://www.pentestpartners.com/security-blog/http-request-smuggling-a-how-… ∗∗∗ Ist diese Webseite seriös? – Checken Sie unsere Listen! ∗∗∗ --------------------------------------------- Es ist nicht unwahrscheinlich, dass Sie als InternetnutzerIn ab und an auf eine betrügerische oder unseriöse Internetseite stoßen. Haben Sie beispielsweise bei einem Online-Shop, einer Streaming-Plattform, einem Speditionsunternehmen oder einer Reiseplattform ein ungutes Gefühl, schauen Sie am besten in unseren Listen nach. Dort finden Sie unzählige Internetseiten, die Sie besser meiden sollten! --------------------------------------------- https://www.watchlist-internet.at/news/ist-diese-webseite-serioes-checken-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Privilege escalation vulnerability in multiple RICOH printer drivers ∗∗∗ --------------------------------------------- If a user who can login to the computer where the affected printer driver is installed uses the specially crafted printer driver, that may result in administrative privileges being taken by privilege escalation. --------------------------------------------- https://jvn.jp/en/jp/JVN15697526/ ∗∗∗ Multiple vulnerabilities in RICOH printers ∗∗∗ --------------------------------------------- * A user who can access the device may access the debugging Web page and obtain sensitive information - CVE-2019-14301 * A user who can physically access the device may execute arbitrary code, alter settings, and/or disable the function - CVE-2019-14302 * If a user accesses a specially crafted page, unintended operations such as changing settings of the device may be performed - CVE-2019-14304 * A user who can access the device may the device settings information - CVE-2019-14306 --------------------------------------------- https://jvn.jp/en/jp/JVN52962201/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-pysaml2), Mageia (clamav, graphicsmagick, opencontainers-runc, squid, and xmlsec1), Oracle (kernel, ksh, python-pillow, systemd, and thunderbird), Red Hat (rh-nodejs12-nodejs), Scientific Linux (ksh, python-pillow, and thunderbird), and SUSE (nodejs6, openssl, ppp, and squid). --------------------------------------------- https://lwn.net/Articles/813349/ ∗∗∗ Moxa MB3xxx Series Protocol Gateways ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-056-01 ∗∗∗ Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-056-02 ∗∗∗ Moxa PT-7528 and PT-7828 Series Ethernet Switches ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-056-03 ∗∗∗ Moxa EDS-G516E and EDS-510E Series Ethernet Switches ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-056-04 ∗∗∗ Honeywell WIN-PAK ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-056-05 ∗∗∗ Cisco FXOS Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco UCS Manager Software Local Management CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Border Gateway Protocol MD5 Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Anycast Gateway Invalid ARP Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software NX-API Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Nexus 1000V Switch for VMware vSphere Secure Login Enhancements Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco MDS 9000 Series Multilayer Switches Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FXOS and UCS Manager Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FXOS and UCS Manager Software Local Management CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FXOS and NX-OS Software Cisco Discovery Protocol Arbitrary Code Execution and Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FXOS Software CLI Arbitrary File Read and Write Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco UCS Manager Software Local Management CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Nexus 1000V Switch for VMware vSphere Secure Login Enhancements Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco MDS 9000 Series Multilayer Switches Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FXOS and UCS Manager Software Local Management CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Out of Bounds Write Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200226-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: SQL Injection Vulnerability Affects IBM Sterling B2B Integrator EBICS (CVE-2019-4597) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: SQL Injection Vulnerability Affects IBM Sterling B2B Integrator Dashboard User Interface (CVE-2019-4598) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: Cross-Site Request Forgery Affects IBM Sterling B2B Integrator (CVE-2019-4726) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: Information disclosure vulnerability in IBM WebSphere Service Registry and Repository (CVE-2019-4537) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Java Update ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-update/ ∗∗∗ Security Bulletin: Cross-Site Scripting Vulnerability Affects IBM Sterling B2B Integrator Dashboard User Interface (CVE-2019-4596) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect TPF Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ HPESBST03983 rev.1 - HPE Command View Advanced Edition (CVAE), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.02.2020
by Daily end-of-shift report 25 Feb '20

25 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Montag 24-02-2020 18:00 − Dienstag 25-02-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Network Traffic Analysis for IR — Discovering RATs ∗∗∗ --------------------------------------------- Discovering RATs is not an easy task, as they neither show up on running processes nor slow down the computer speed. Nevertheless, incident response (IR) teams can perform a network traffic analysis to discover RATs. --------------------------------------------- https://resources.infosecinstitute.com/network-traffic-analysis-for-ir-disc… ∗∗∗ VB2019 paper: Static analysis methods for detection of Microsoft Office exploits ∗∗∗ --------------------------------------------- Today we publish the VB2019 paper and presentation by McAfee researcher Chintan Shah in which he described static analysis methods for the detection of Microsoft Office exploits. --------------------------------------------- https://www.virusbulletin.com:443/blog/2020/02/vb2019-paper-static-analysis… ∗∗∗ Fünf Jahre Updates: BSI definiert Anforderungen an sichere Smartphones ∗∗∗ --------------------------------------------- Das BSI bringt einen Katalog von Smartphone-Sicherheitskriterien heraus, die später ins IT-Sicherheitskennzeichen einfließen könnten. --------------------------------------------- https://heise.de/-4667637 ∗∗∗ ENISA publishes procurement guidelines for cybersecurity in hospitals ∗∗∗ --------------------------------------------- The Procurement Guidelines for Cybersecurity in Hospitals published by the Agency is designed to support the healthcare sector in taking informative decisions on cybersecurity when purchasing new hospital assets. It provides the information to be included in the procurement requests that hospitals publish in order to obtain IT equipment. --------------------------------------------- https://www.helpnetsecurity.com/2020/02/25/cybersecurity-procurement-hospit… ∗∗∗ PayPal accounts abused en-masse for unauthorized payments ∗∗∗ --------------------------------------------- Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account. ... On February 25, 07:30am ET, PayPal told ZDNet that they have addressed the issue being exploited over the weekend. --------------------------------------------- https://www.zdnet.com/article/paypal-accounts-are-getting-abused-en-masse-f… ===================== = Vulnerabilities = ===================== ∗∗∗ Signature Validation Bypass Leading to RCE In Electron-Updater ∗∗∗ --------------------------------------------- As part of a security engagement for one of our customers, we have reviewed the update mechanism performed by Electron Builder, and discovered an overall lack of secure coding practices. In particular, we identified a vulnerability that can be leveraged to bypass the signature verification check hence leading to remote command execution. --------------------------------------------- https://blog.doyensec.com/2020/02/24/electron-updater-update-signature-bypa… ∗∗∗ McAfees WebAdvisor für Chrome und Firefox kann Hacker einladen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für McAfees Webbrowser-Erweiterung WebAdvisor. --------------------------------------------- https://heise.de/-4667767 ∗∗∗ Zyxel Fixes 0day in Network Storage Devices ∗∗∗ --------------------------------------------- The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as CVE-2020-9054. However, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel’s advice for those users is simply “do not leave the product directly exposed to the internet.” --------------------------------------------- https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-dev… ∗∗∗ Multiple Cross-site Scripting (XSS) Vulnerabilities in PHP-Fusion CMS ∗∗∗ --------------------------------------------- Business recommendation: Update to the latest version of PHP-Fusion. --------------------------------------------- https://sec-consult.com/en/blog/advisories/multiple-cross-site-scripting-xs… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl and otrs2), Fedora (NetworkManager-ssh and python-psutil), Mageia (ipmitool, libgd, libxml2_2, nextcloud, radare2, and upx), openSUSE (inn and sudo), Oracle (kernel, ksh, python-pillow, and thunderbird), Red Hat (curl, kernel, nodejs:10, nodejs:12, procps-ng, rh-nodejs10-nodejs, ruby, and systemd), SUSE (dpdk, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libexif, libvpx, nodejs10, nodejs8, openssl1, pdsh, slurm_18_08, python-azure-agent, python3, webkit2gtk3), Ubuntu (libapache2-mod-auth-mellon, libpam-radius-auth, rsync). --------------------------------------------- https://lwn.net/Articles/813250/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- D-LINK Router DIR-867, D-LINK Router DIR-878, D-LINK Router DIR-882 Ein anonymer Angreifer aus dem angrenzenden Netzbereich kann mehrere Schwachstellen in D-LINK Routern ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0159 ∗∗∗ Security Bulletin: IBM QRadar Advisor With Watson App for IBM QRadar SIEM uses weaker than expected cryptographic algorithms (CVE-2019-4557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-w… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM QRadar Advisor With Watson App for IBM QRadar SIEM uses weaker than expected cryptographic algorithms (CVE-2019-4557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-advisor-with-w… ∗∗∗ Linux sudo process vulnerability CVE-2019-18634 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91327225?utm_source=f5support&utm_mediu… ∗∗∗ PHOENIX CONTACT: Advisory for multiple FL Switch GHS utilising VxWorks ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-002 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2020
by Daily end-of-shift report 24 Feb '20

24 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-02-2020 18:00 − Montag 24-02-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 10 Gets Temp Fix for Critical Security Vulnerability ∗∗∗ --------------------------------------------- Until Microsoft releases a permanent solution for the troublesome KB4532693 update, enterprises with Windows 10 1903 and 1909 are forced to delay applying the security fixes that come with it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-10-gets-temp-fix-for… ∗∗∗ Celebrating Milestones (European CERT/CSIRT Report Coverage) ∗∗∗ --------------------------------------------- Celebrating a particularly significant long term milestone - our 107th National CERT/CSIRT recently signed up for Shadowservers free daily networking reporting service, which takes us to 136 countries and over 90% of the IPv4 Internet by IP space/ASN. This has finally changed our internal CERT reporting coverage map of Europe entirely green. --------------------------------------------- https://www.shadowserver.org/news/celebrating-milestones-european-cert-csir… ∗∗∗ Microsoft stellt Domaincontroller langsam auf LDAPS um ∗∗∗ --------------------------------------------- Microsoft bereitet eine Umstellung auf LDAPS im Active Directory vor. Admins sollten rechtzeitig Einstellungen und Logs prüfen, um Ausfälle zu vermeiden. --------------------------------------------- https://heise.de/-4666079 ∗∗∗ Emotet: Sicherheitsrisiko Microsoft Office 365 ∗∗∗ --------------------------------------------- Dokumentiert aber wenig bekannt: Den Business-Versionen von Office 365 fehlt eine wichtige Schutzfunktion, die unter anderem Emotet-Infektionen verhindern kann. --------------------------------------------- https://heise.de/-4665197 ∗∗∗ Betrügerisches Wettbüro: sportbetting-365.com ∗∗∗ --------------------------------------------- Vorsicht vor betrügerischen Wettbüros im Internet wie sportbetting-365.com. Die Website erinnert auf den ersten Blick an zahlreiche echte Wettangebote und Online-Casinos. Bei genauerem Hinsehen fallen aber grobe Mängel auf: So gibt es beispielsweise kein Impressum. Einzahlungen funktionieren äußerst einfach, Auszahlungen hingegen sind praktisch unmöglich. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-wettbuero-sportbetti… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSMTPD 6.6.4p1 Security Release ∗∗∗ --------------------------------------------- An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group. --------------------------------------------- https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.4p1 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libpam-radius-auth, pillow, ppp, proftpd-dfsg, and python-pysaml2), Fedora (firefox, glib2, hiredis, http-parser, libuv, mingw-openjpeg2, nghttp2, nodejs, openjpeg2, python-pillow, skopeo, and webkit2gtk3), Mageia (patch, postgresql, and systemd), Red Hat (ksh, nodejs:10, openjpeg2, python-pillow, systemd, and thunderbird), and SUSE (java-1_7_1-ibm, libsolv, libzypp, zypper, pdsh, slurm_18_08, and php53). --------------------------------------------- https://lwn.net/Articles/813153/ ∗∗∗ Bugtraq: [TZO-16-2020] - F-SECURE Generic Malformed Container bypass (GZIP) ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/542240 ∗∗∗ Cisco AnyConnect Secure Mobility Client for Windows Uncontrolled Search Path Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei PCManager Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200221-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (February 2020v2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to Path Disclosure (CVE-2019-4745) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2019-5481, CVE-2019-5482) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-curl-a… ∗∗∗ Security Bulletin: WebSphere Liberty susceptible to HTTP2 implementation vulnerablility. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-liberty-suscept… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons Compress affects IBM Spectrum Protect Plus (CVE-2019-12402). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Command injection vulnerabilities in IBM Spectrum Protect Plus (CVE-2020-4210, CVE-2020-4213, CVE-2020-4222, CVE-2020-4212, CVE-2020-4211) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-command-injection-vulnera… ∗∗∗ Security Bulletin: Vulnerabilities in Samba affect IBM Spectrum Protect Plus (CVE-2019-14833, CVE-2019-14847, CVE-2019-10218) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-samba-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Information Disclosure in IBM Spectrum Protect Plus (CVE-2019-4703) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: Multiple vulnerabilities in FasterXML Jackson-databind affect IBM Spectrum Protect Plus (CVE-2019-16943, CVE-2019-16942, CVE-2019-17531, CVE-2019-17267, CVE-2019-14540, CVE-2019-16335, CVE-2019-14379, CVE-2019-14439) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in libjpeg-turbo shipped with PowerAI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ HPESBGN03984 rev.1 - HPE OpenCall Media Platform (OCMP), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03985 rev.1 - Certain HPE Servers with Intel Xeon SP-based processors, Local Disclosure of Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2020
by Daily end-of-shift report 21 Feb '20

21 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-02-2020 18:00 − Freitag 21-02-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coronavirus-Malware breitet sich massiv aus ∗∗∗ --------------------------------------------- Cybersecurity-Experten warnen, dass der Coronavirus immer mehr zur Verbreitung von Malware genutzt wird. --------------------------------------------- https://futurezone.at/digital-life/coronavirus-malware-breitet-sich-massiv-… ∗∗∗ Subdomain-Takeover: Hunderte Microsoft-Subdomains gekapert ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher konnte in den vergangenen Jahren Hunderte Microsoft-Subdomains kapern, doch trotz Meldung kümmerte sich Microsoft nur um wenige. Doch nicht nur der Sicherheitsforscher, auch eine Glücksspielseite übernahm offizielle Microsoft.com-Subdomains. --------------------------------------------- https://www.golem.de/news/subdomain-takeover-hunderte-microsoft-subdomains-… ∗∗∗ Apple: Safari soll nur noch einjährige TLS-Zertifikate akzeptieren ∗∗∗ --------------------------------------------- Apples Browser Safari soll ab 1. September nur noch TLS-Zertifikate mit einer maximalen Gültigkeit von 13 Monaten akzeptieren. Betroffen sind Webseiten wie Github.com oder Microsoft.com, die derzeit auf Zwei-Jahres-Zertifikate setzen. --------------------------------------------- https://www.golem.de/news/apple-safari-soll-nur-noch-einjaehrige-tls-zertif… ∗∗∗ Quick Analysis of an Encrypted Compound Document Format, (Fri, Feb 21st) ∗∗∗ --------------------------------------------- We like when our readers share interesting samples! Even if we have our own sources to hunt for malicious content, its always interesting to get fresh meat from third parties. Robert shared an interesting Microsoft Word document that I quickly analysed. Thanks to him! --------------------------------------------- https://isc.sans.edu/diary/rss/25826 ∗∗∗ How to Find & Remove SEO Spam on WordPress ∗∗∗ --------------------------------------------- Perhaps the best way to dive into the subject of finding and removing SEO spam on WordPress is with a quick experiment — probably one you’ll want to conduct at a private location. Run a Google search with the terms buy viagra cialis. Without clicking anything (seriously, don’t), take a close look at the results. You’ll likely see one or more seemingly innocent, non-pharmaceutical websites advertising these medications. --------------------------------------------- https://blog.sucuri.net/2020/02/remove-seo-spam-wordpress.html ∗∗∗ Fuzzing – Angriff ist die beste Verteidigung ∗∗∗ --------------------------------------------- Das automatisierte Testen von Software mit Fuzzing bietet einige Vorzüge, die sich Entwickler beim Testen zunutze machen sollten. --------------------------------------------- https://heise.de/-4659818 ∗∗∗ Over 400 ICS Vulnerabilities Disclosed in 2019: Report ∗∗∗ --------------------------------------------- More than 400 vulnerabilities affecting industrial control systems (ICS) were disclosed in 2019 and over a quarter of them had no patches when their existence was made public, according to a report published on Thursday by industrial cybersecurity firm Dragos. --------------------------------------------- https://www.securityweek.com/over-400-ics-vulnerabilities-disclosed-2019-re… ∗∗∗ Identitätsdiebstahl: Sicherheitsforscher warnen vor grundlegender Lücke in LTE-Netzen ∗∗∗ --------------------------------------------- Angreifer könnten sich als andere Personen ausgeben, und in deren Namen auftreten – Allerdings hoher Aufwand notwendig --------------------------------------------- https://www.derstandard.at/story/2000114840745/identitaetsdiebstahl-sicherh… ===================== = Vulnerabilities = ===================== ∗∗∗ B&R Industrial Automation Automation Studio and Automation Runtime ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper authorization vulnerability in B&R Industrial Automations Automation Studio and Automation Runtime software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-051-01 ∗∗∗ Rockwell Automation FactoryTalk Diagnostics ∗∗∗ --------------------------------------------- This advisory contains mitigations for a deserialization of untrusted data vulnerability in Rockwell Automations FactoryTalk Diagnostics software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-051-02 ∗∗∗ Honeywell NOTI-FIRE-NET Web Server (NWS-3) ∗∗∗ --------------------------------------------- This advisory contains mitigations for authentication bypass by capture relay, and path traversal vulnerabilities in Honeywells NOTI-FIRE-NET web servers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-051-03 ∗∗∗ Auto-Maskin RP210E, DCU210E, and Marine Observer Pro (Android App) ∗∗∗ --------------------------------------------- This advisory contains mitigations for cleartext transmission of sensitive information, origin validation error, use of hard-coded credentials, weak password recovery mechanism for forgotten password, and weak password requirements vulnerabilities in Auto-Maskins RP 210E Remote Panels, DCU 210E Control Units, and Marine Observer Pro (Android App). --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-051-04 ∗∗∗ Root-Sicherheitslücke gefährdet IBM-Datenbank Db2 ∗∗∗ --------------------------------------------- Db2 von IBM ist verwundbar und Angreifer könnten schlimmstenfalls Schadcode ausführen. Vorläufige Fixes sind verfügbar. --------------------------------------------- https://heise.de/-4665536 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (openjpeg2), Debian (cloud-init, jackson-databind, and python-reportlab), Red Hat (ksh, python-pillow, systemd, and thunderbird), Slackware (proftpd), SUSE (java-1_7_0-ibm, nodejs10, and nodejs12), and Ubuntu (ppp and squid, squid3). --------------------------------------------- https://lwn.net/Articles/812995/ ∗∗∗ Security Bulletin: IBM API Connect V5 is impacted by a denial of service vulnerability in Linux kernel (CVE-2019-11477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-v5-is-imp… ∗∗∗ Security Bulletin: Phishing Attack Vulnerability Affects IBM Sterling B2B Integrator (CVE-2019-4595) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-phishing-attack-vulnerabi… ∗∗∗ Security Bulletin: Multiple Vulnerabilities identified in IBM StoredIQ ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM License Metric Tool v9 (CVE-2019-4441). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0155 ∗∗∗ Apache Tomcat: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0154 ∗∗∗ Red Hat OpenShift Container Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0157 ∗∗∗ Red Hat Enterprise Linux Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0156 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.02.2020
by Daily end-of-shift report 20 Feb '20

20 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-02-2020 18:00 − Donnerstag 20-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cybergang Favors G Suite and Physical Checks For BEC Attacks ∗∗∗ --------------------------------------------- Exaggerated Lion, a newly discovered cybercrime group, uses new and unique tactics to target U.S. companies in BEC attacks. --------------------------------------------- https://threatpost.com/cybergang-favors-g-suite-and-physical-checks-for-bec… ∗∗∗ Nearly half of hospital Windows systems still vulnerable to RDP bugs ∗∗∗ --------------------------------------------- Almost half of connected hospital devices are still exposed to the wormable BlueKeep Windows flaw nearly a year after it was announced, according to a report released this week. --------------------------------------------- https://nakedsecurity.sophos.com/2020/02/20/nearly-half-of-hospital-windows… ∗∗∗ Building a Stronger Cybersecurity Community: 8th ENISA Industry Event ∗∗∗ --------------------------------------------- On 17 February 2020, the EU Agency for Cybersecurity organised its 8th Industry Event in Brussels. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/building-a-stronger-cybersecuri… ∗∗∗ Telecom Security Authorities meeting in Brussels ∗∗∗ --------------------------------------------- Last week the EU Agency for Cybersecurity hosted the 30th Article 13a meeting in Brussels. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/telecom-security-authorities-me… ∗∗∗ Sicherheitsupdates: Ciscos High-Availability-Feature heißt Angreifer willkommen ∗∗∗ --------------------------------------------- Cisco kümmert sich unter anderem um kritische Lücken in Smart Software Manager, Email Security Appliance & Co. --------------------------------------------- https://heise.de/-4664787 ∗∗∗ Betrügerische Trading-Plattformen nehmen frühere Opfer ins Visier ∗∗∗ --------------------------------------------- Unseriöse Trading-Plattformen versuchen ihren Opfern mit unterschiedlichsten Maschen das Geld aus der Tasche zu ziehen. Einige frühere Betroffene werden nun erneut kontaktiert, obwohl sie bereits jeglichen Kontakt abgebrochen hatten: Angeblich wurden zwischenzeitlich hohe Gewinne erzielt, die nach Zahlung der Steuern beantragt werden könnten. Hier darf nichts bezahlt werden! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-trading-plattformen-n… ∗∗∗ Exploiting Jira for Host Discovery ∗∗∗ --------------------------------------------- Last October I dived into the world of Jira Software (version 8.4.1) in the hope of discovering new vulnerabilities. Initially, I came across a few Cross-Site Request Forgery (CSRF) weaknesses, leading me to a vulnerability that allows a user to instruct the Jira server to initiate connections to other hosts of my choice. --------------------------------------------- https://medium.com/tenable-techblog/exploiting-jira-for-host-discovery-43be… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Adobe Flaws Fixed in Out-of-Band Update ∗∗∗ --------------------------------------------- Two critical Adobe vulnerabilities have been fixed in Adobe After Effects and Adobe Media Encoder. --------------------------------------------- https://threatpost.com/critical-adobe-flaws-fixed-in-out-of-band-update/153… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (netty and netty-3.9), Fedora (ceph, dovecot, poppler, and webkit2gtk3), openSUSE (inn and rmt-server), Oracle (openjpeg2), Red Hat (rabbitmq-server), Scientific Linux (openjpeg2), SUSE (dnsmasq, rsyslog, and slurm), and Ubuntu (php7.0). --------------------------------------------- https://lwn.net/Articles/812924/ ∗∗∗ jQuery vulnerability CVE-2015-9251 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29562170 ∗∗∗ PHP: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0147 ∗∗∗ Duplicator < 1.3.28 - Unauthenticated Arbitrary File Download ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10078 ∗∗∗ Profile - Moderately critical - Access Bypass - SA-CONTRIB-2020-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-004 ∗∗∗ Security Bulletin: SQL Injection Affects IBM Emptoris Spend Analysis (CVE-2019-4752) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-affects-ibm… ∗∗∗ Security Bulletin: Resilient is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-resilient-is-vulnerable-t… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2019-4640) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-cast-iron-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Node.js affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM API Connect has addressed the following vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-has-addre… ∗∗∗ Security Bulletin: IBM API Connect is impacted by a vulnerability in Kubernetes(CVE-2019-11251) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: SQL Injection Affects IBM Emptoris Strategic Supply Management Platform (CVE-2019-4752) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-affects-ibm… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.02.2020
by Daily end-of-shift report 19 Feb '20

19 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-02-2020 18:00 − Mittwoch 19-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SMS Attack Spreads Emotet, Steals Bank Credentials ∗∗∗ --------------------------------------------- A new Emotet campaign is spread via SMS messages pretending to be from banks and may have ties to the TrickBot trojan. --------------------------------------------- https://threatpost.com/sms-attack-spreads-emotet-bank-credentials/153015/ ∗∗∗ Jetzt updaten: Exploit-Code für Lücke in Microsoft SQL Server veröffentlicht ∗∗∗ --------------------------------------------- Updates für MS SQL Server 2012, 2014 und 2016 vom Patch Tuesday beheben eine Sicherheitslücke, für die nun Proof-of-Concept-Code vorliegt. --------------------------------------------- https://heise.de/-4663968 ∗∗∗ Firmware-Sicherheitslücken: Angriffe auf Notebooks von Dell, HP und Lenovo ∗∗∗ --------------------------------------------- Notebook-Hersteller verbauen allerlei Komponenten von Zulieferern, denen selbst einfache Schutzmaßnahmen fehlen. --------------------------------------------- https://heise.de/-4664246 ∗∗∗ E-Mail der DNS Austria ist betrügerisch ∗∗∗ --------------------------------------------- Zahlreiche Website-BesitzerInnen erhalten momentan ein E-Mail einer DNS Austria – einem Unternehmen, das angeblich Domainnamen registriert. Sie werden darüber informiert, dass jemand ihre Domain mit einer anderen Endung registrieren möchte. Ihnen wird die Möglichkeit geboten, diese Domain zuvor zu kaufen. Überweisen Sie der DNS Austria kein Geld, es handelt sich um ein betrügerisches Vorgehen und das Unternehmen existiert nicht. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-der-dns-austria-ist-betrueger… ===================== = Vulnerabilities = ===================== ∗∗∗ Spacelabs Xhibit Telemetry Receiver (XTR) ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for an improper input validation vulnerability in Spacelabs Xhibit Telemetry Receiver hardware --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-20-049-01 ∗∗∗ GE Ultrasound products ∗∗∗ --------------------------------------------- This medical advisory contains mitigations for a protection mechanism failure vulnerability in GE ultrasound products. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-20-049-02 ∗∗∗ Honeywell INNCOM INNControl 3 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper privilege management vulnerability in Honeywells INNCOM INNControl 3 energy management platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-049-01 ∗∗∗ Emerson OpenEnterprise ∗∗∗ --------------------------------------------- This advisory contains mitigations for a heap-based buffer overflow vulnerability in Emersons OpenEnterprise SCADA Server software. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-049-02 ∗∗∗ VMSA-2020-0003 ∗∗∗ --------------------------------------------- vRealize Operations for Horizon Adapter updates address multiple security vulnerabilities (CVE-2020-3943, CVE-2020-3944, CVE-2020-3945) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0003.html ∗∗∗ Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild ∗∗∗ --------------------------------------------- Description: Remote Code Execution Affected Plugin: ThemeREX Addons Plugin Slug: trx_addons Affected Versions: Versions greater than 1.6.50 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Patched Version: Currently No Patch. Today, February 18th, our Threat Intelligence team was notified of a vulnerability present in ThemeREX Addons, a WordPress plugin installed on an estimated 44,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2020/02/zero-day-vulnerability-in-themerex-a… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, ksh, and sudo), Debian (php7.0 and python-django), Fedora (cacti, cacti-spine, mbedtls, and thunderbird), openSUSE (chromium, re2), Oracle (firefox, java-1.7.0-openjdk, and sudo), Red Hat (openjpeg2 and sudo), Scientific Linux (java-1.7.0-openjdk and sudo), SUSE (dbus-1, dpdk, enigmail, fontforge, gcc9, ImageMagick, ipmitool, php72, sudo, and wicked), and Ubuntu (clamav, linux, linux-aws, linux-aws-hwe, linux-azure, --------------------------------------------- https://lwn.net/Articles/812851/ ∗∗∗ Bugtraq: [TZO-18-2020] - Bitdefender Malformed Archive bypass (GZIP) ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/542236 ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ FortiOS URL redirection attack via the admin password change page ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-179 ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/all-bulletins?name=security-advisories&year… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4135). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: A vulnerability have been identified in Netty shipped with IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library (CVE-2019-16869) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: A vulnerability has been identified in FasterXML Jackson library shipped with IBM Tivoli Netcool/OMNIbus Common Integration Libraries (CVE-2019-14540) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to denial of service (CVE-2020-4200). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-4663) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Security vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to privilege escalation (CVE-2020-4230). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2019-4429) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerability in Netty affects IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-netty-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.02.2020
by Daily end-of-shift report 18 Feb '20

18 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Montag 17-02-2020 18:00 − Dienstag 18-02-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SSL Testing Methods ∗∗∗ --------------------------------------------- Not all SSL configurations on websites are equal, and a growing number push for HTTPS everywhere. There is an increasing demand to check and quantify that little padlock in your browser. Some simple online tools provide a fast SSL report. They are SSL configuration checkers, which do not just check a certificate, which is really only part of that configuration. Instead, they perform a more thorough look. --------------------------------------------- https://blog.sucuri.net/2020/02/ssl-testing-methods.html ∗∗∗ Gut behütet: OWASP API Security Top 10 ∗∗∗ --------------------------------------------- Zunehmend stehen APIs im Visier von Hackern. Ein Blick auf die neue OWASP-Liste zu den Schwachstellen zeigt, an welchen Stellen Entwickler gefordert sind. --------------------------------------------- https://heise.de/-4660904 ∗∗∗ Kritische Lücke in WordPress-Plugin Profile Builder macht jeden zum Site-Admin ∗∗∗ --------------------------------------------- In der aktuellen Version des WordPress-Plugin Profile Builder haben die Entwickler eine Sicherheitslücke mit Höchstwertung geschlossen. --------------------------------------------- https://heise.de/-4663152 ∗∗∗ Building a bypass with MSBuild ∗∗∗ --------------------------------------------- Living-off-the-land binaries (LoLBins) continue to pose a risk to security defenders. We analyze the usage of the Microsoft Build Engine by attackers and red team personnel. These threats demonstrate techniques T1127 (Trusted Developer Utilities) and T1500 (Compile After Delivery) of MITRE ATT&CK framework. --------------------------------------------- https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html ∗∗∗ Vorsicht vor betrügerischen PayLife E-Mails ∗∗∗ --------------------------------------------- PayLife KundInnen aufgepasst: Aktuell sind Phishing-E-Mails unterwegs. Kriminelle geben sich als PayLife aus und behaupten, dass Ihre Karte gesperrt wurde. Um die Karte wieder freizuschalten, müssen Sie einen Identifikationsprozess durchlaufen und Ihre Daten bestätigen. Klicken Sie keinesfalls auf den Link, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-paylife… ∗∗∗ Bypass Windows 10 User Group Policy (and more) with this One Weird Trick ∗∗∗ --------------------------------------------- I‘m going to share an (ab)use of a Windows feature which can result in bypassing User Group Policy (as well as a few other interesting things). Bypassing User Group Policy is not the end of the world, but it’s also not something that should be allowed and depending on User Group Policy setup, could result in unfortunate security scenarios. --------------------------------------------- https://medium.com/tenable-techblog/bypass-windows-10-user-group-policy-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in wpCentral Plugin Leads to Privilege Escalation ∗∗∗ --------------------------------------------- Description: Improper Access Control to Privilege Escalation Affected Plugin: wpCentral Affected Versions: [...] --------------------------------------------- https://www.wordfence.com/blog/2020/02/vulnerability-in-wpcentral-plugin-le… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (systemd and thunderbird), Debian (clamav, libgd2, php7.3, spamassassin, and webkit2gtk), Fedora (kernel, kernel-headers, and sway), Mageia (firefox, kernel-linus, mutt, python-pillow, sphinx, thunderbird, and webkit2), openSUSE (firefox, nextcloud, and thunderbird), Oracle (firefox and ksh), Red Hat (curl, java-1.7.0-openjdk, kernel, and ruby), Scientific Linux (firefox and ksh), SUSE (sudo and xen), and Ubuntu (clamav, php5, php7.0, php7.2, [...] --------------------------------------------- https://lwn.net/Articles/812763/ ∗∗∗ Serious Vulnerabilities Expose SonicWall SMA Appliances to Remote Attacks ∗∗∗ --------------------------------------------- Several serious vulnerabilities have been found by a researcher in Secure Mobile Access (SMA) and Secure Remote Access (SRA) appliances made by SonicWall. The vendor has released software updates that patch the flaws. --------------------------------------------- https://www.securityweek.com/serious-vulnerabilities-expose-sonicwall-sma-a… ∗∗∗ F-Secure Patches Old AV Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability addressed by F-Secure in some of its business products could have been exploited to bypass their scanning engine using malformed archives. --------------------------------------------- https://www.securityweek.com/f-secure-patches-old-av-bypass-vulnerability ∗∗∗ Bugtraq: [TZO-17-2020] - Kaspersky Generic Archive Bypass (ZIP FLNMLEN) ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/542235 ∗∗∗ Intel processors vulnerability CVE-2019-14607 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29100014?utm_source=f5support&utm_mediu… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis is affected by stack displayed in WebSphere Application Server (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Oct 2019 : Multiple vulnerabilities in IBM Java Runtime affect IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oct-2019-multiple-vulnera… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Bypass security restrictions in WebSphere Application Server Liberty affect IBM Operations Analytics – Log Analysis (CVE-2019-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-bypass-security-restricti… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Oct 2019 : Multiple vulnerabilities in IBM Java Runtime affect TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oct-2019-multiple-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2020
by Daily end-of-shift report 17 Feb '20

17 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-02-2020 18:00 − Montag 17-02-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Escaping the Chrome Sandbox with RIDL ∗∗∗ --------------------------------------------- tl;dr: Vulnerabilities that leak cross process memory can be exploited to escape the Chrome sandbox. An attacker is still required to compromise the renderer prior to mounting this attack. To protect against attacks on affected CPUs make sure your microcode is up to date and disable hyper-threading (HT). --------------------------------------------- https://googleprojectzero.blogspot.com/2020/02/escaping-chrome-sandbox-with… ∗∗∗ How to hack a company by circumventing its WAF through the abuse of a different security appliance and win bug bounties ∗∗∗ --------------------------------------------- Hey, wait! What do bug bounties and network security appliances have in common? Usually nothing! On the contrary, the security appliances allow virtual patching practices and actively participate to reduce the number of bug bounties paid to researchers…but this is a reverse story: a bug bounty was paid to us thanks to a misconfigured security appliance. --------------------------------------------- https://www.redtimmy.com/web-application-hacking/how-to-hack-a-company-by-c… ∗∗∗ Flaw in WordPress Themes Plugin Allowed Hackers to Become Site Admin ∗∗∗ --------------------------------------------- A serious vulnerability found in a WordPress themes plugin with over 200,000 active installations can be exploited to wipe a website’s database and gain administrator access to the site. read more --------------------------------------------- https://www.securityweek.com/flaw-wordpress-themes-plugin-allowed-hackers-b… ∗∗∗ Theres finally a way to remove xHelper, the unremovable Android malware ∗∗∗ --------------------------------------------- Malwarebytes researchers find a way to remove the malware, but they still dont know how it really operates. --------------------------------------------- https://www.zdnet.com/article/theres-finally-a-way-to-remove-xhelper-the-un… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (evince, postgresql-9.4, and thunderbird), Fedora (ksh and libxml2), openSUSE (hostapd and nextcloud), Red Hat (chromium-browser, firefox, flash-plugin, and ksh), and SUSE (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/812664/ ∗∗∗ PHOENIX CONTACT Emalytics Controller ILC 2050 BI(L) allows unauthorised read and write access to the configuration file. ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2020-001 ∗∗∗ Security Bulletin: Information disclosure in WebSphere Application Server Liberty bundled with IBM Operations Analytics – Log Analysis (CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Spectrum Protect Plus (CVE-2018-0735, CVE-2018-0734, CVE-2018-5407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Oct 2019 – Includes Oracle Oct 2019 CPU minus CVE-2019-2949 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-sd… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – Kubernetes (CVE-2019-17110, CVE-2019-10223, CVE-2019-11253) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty in IBM Cloud Private VM Quickstarter ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Websphere Liberty and OpenLiberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-websph… ∗∗∗ Security Bulletin: IBM Tivoli Common Reporting (TCR) interim fixes address Security Vulnerability and Exposure CVE-2018-1902 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-common-reporti… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Go (CVE-2019-17596) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Commons Compress ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2020
by Daily end-of-shift report 14 Feb '20

14 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-02-2020 18:00 − Freitag 14-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Parallax RAT: Common Malware Payload After Hacker Forums Promotion ∗∗∗ --------------------------------------------- A remote access Trojan named Parallax is being widely distributed through malicious spam campaigns that when installed allow attackers to gain full control over an infected system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-… ∗∗∗ Keep an Eye on Command-Line Browsers, (Fri, Feb 14th) ∗∗∗ --------------------------------------------- For a few weeks, Im searching for suspicious files that make use of a command line browser like curl.exe or wget.exe in Windows environment. Wait, you were not aware of this? Just open a cmd.exe and type 'curl.exe' on your Windows 10 host: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25804 ∗∗∗ LokiBot Impersonates Popular Game Launcher and Drops Compiled C# Code File ∗∗∗ --------------------------------------------- Recently, we discovered LokiBot (detected by Trend Micro as Trojan.Win32.LOKI) impersonating a popular game launcher to trick users into executing it on their machines. Further analysis revealed that a sample of this variant employs a quirky, installation routine that involves dropping a compiled C# code file. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/WsiHoe_u7N4/ ∗∗∗ An In-Depth Technical Analysis of CurveBall (CVE-2020-0601) ∗∗∗ --------------------------------------------- The first Microsoft patch Tuesday of 2020 contained fixes for CVE-2020-0601 [...] an attacker exploiting this vulnerability could potentially create their own cryptographic certificates that appear to originate from a legitimate certificate that is fully trusted by Windows by default. .. this post will primarily highlight the code-level root cause analysis of the vulnerability in the context of how applications are likely to use CryptoAPI to handle certificates — more specifically in the [...] --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-tec… ∗∗∗ Sicherheitslücken-Sammlung SweynTooth: SocS in zahlreichen Produkten verwundbar ∗∗∗ --------------------------------------------- Zwölf Lücken in der Bluetooth-Low-Energy-Umsetzung auf Systems-on-Chip mehrerer Hersteller betreffen Wearables, IoT- aber wohl auch medizinische Geräte. --------------------------------------------- https://heise.de/-4660872 ===================== = Vulnerabilities = ===================== ∗∗∗ Trend Micro AntiVirus: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Trend Micro AntiVirus ist eine Anti-Viren-Software. Trend Micro Maximum Security ist eine Desktop Security Suite. Trend Micro Internet Security ist eine Firewall und Antivirus Lösung. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/02/warn… ∗∗∗ Schneider Electric Modicon Ethernet Serial RTU ∗∗∗ --------------------------------------------- This advisory contains mitigations for improper check for unusual or exceptional conditions, and improper access control vulnerabilities in Schneider Electrics Modicons BMXNOR0200H Ethernet Serial RTU, a remote terminal unit. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-044-01 ∗∗∗ Schneider Electric Magelis HMI Panels ∗∗∗ --------------------------------------------- This advisory contains mitigations for an improper check for unusual or exceptional conditions vulnerability in Schneiders Magelis HMI Panels. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-044-02 ∗∗∗ FortiManager Cross-Site WebSocket Hijacking (CSWSH) ∗∗∗ --------------------------------------------- An Insufficient Verification of Data Authenticity vulnerability in FortiManager may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack. FortiManager 6.2.0 to 6.2.1, 6.0.6 and below. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-191 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-security-support, postgresql-11, and postgresql-9.6), Fedora (cutter-re, firefox, php-horde-Horde-Data, radare2, and texlive-base), openSUSE (docker-runc), Oracle (kernel), Red Hat (sudo), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/812494/ ∗∗∗ Bugtraq: [TZO-13-2020] - AVIRA Generic AV Bypass (ZIP GPFLAG) ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/542223 ∗∗∗ Security Bulletin: Vulnerability affecting IBM Network Performance Insight (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affecting-i… ∗∗∗ Security Bulletin: Vulnerability affecting IBM Network Performance Insight (CVE-2019-16335) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-affecting-i… ∗∗∗ Security Bulletin: Oct 2019 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oct-2019-multiple-vulnera… ∗∗∗ Security Bulletin: OpenSSL vulnerability affects IBM Rational Team Concert ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-aff… ∗∗∗ Security Bulletin: Oracle Outside In Technology vulnerability in Rational DOORS Next Generation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-outside-in-technol… ∗∗∗ Security Bulletin: Vulnerabilities affect IBM Network Performance Insight (CVE-2019-14379, CVE-2019-17531, CVE-2019-14439 and CVE-2019-14540) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affect-ib… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affect Financial Transaction Manager for Digital Payments ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Red Hat Virtualization: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0132 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.02.2020
by Daily end-of-shift report 13 Feb '20

13 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-02-2020 18:00 − Donnerstag 13-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft Urges Exchange Admins to Disable SMBv1 to Block Malware ∗∗∗ --------------------------------------------- Microsoft is recommending administrators disable the SMBv1 network communication protocol on Exchange servers to provide better protection against malware threats and attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-urges-exchange-ad… ∗∗∗ VU#597809: IBM ServeRAID Manager exposes unauthenticated Java Remote Method Invocation (RMI) service ∗∗∗ --------------------------------------------- Impact: An unauthenticated remote attacker can execute arbitrary code on a vulnerable system, with SYSTEM privileges on Microsoft Windows. Solution: ServeRAID Manager is no longer supported and we do not expect IBM to release fixes. --------------------------------------------- https://kb.cert.org/vuls/id/597809 ∗∗∗ How to escalate privileges and steal secrets in Google Cloud Platform ∗∗∗ --------------------------------------------- The problem? There just isnt a lot of information available about GCP written from an attackers perspective. We set out to learn as much as we could about Google Cloud and how an attacker might work to abuse common design decisions --------------------------------------------- https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileg… ∗∗∗ From S3 bucket to Laravel unserialize RCE ∗∗∗ --------------------------------------------- TLDR: Anyone who have access to the app key can both impersonate other users and, if enabled, make the application deserialize arbitrary data. --------------------------------------------- https://blog.truesec.com/2020/02/12/from-s3-bucket-to-laravel-unserialize-r… ∗∗∗ Tipps für die Sicherheit Ihrer E-Mail-Adressen ∗∗∗ --------------------------------------------- Immer wieder erreichen die Watchlist Internet Meldungen verzweifelter KonsumentInnen zu Problemen mit ihren E-Mail-Accounts. So kann es zur Übernahme von Mail-Adressen oder Hacks kommen. Auch vergessene Passwörter, Sicherheitsfragen oder verdächtige Aktivitäten führen häufig zu Schwierigkeiten. --------------------------------------------- https://www.watchlist-internet.at/news/tipps-fuer-die-sicherheit-ihrer-e-ma… ∗∗∗ Wireshark Tutorial: Examining Qakbot Infections ∗∗∗ --------------------------------------------- Brad Duncan is back with a new Wireshark tutorial. This one examines a recent infection of Qakbot (AKA Qbot), which is an information stealer, so security pros can better understand its traffic patterns for detecting and investigating in the future. The post Wireshark Tutorial: Examining Qakbot Infections appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/tutorial-qakbot-infection/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, firefox, ksh, and webkit2gtk), Debian (firefox-esr and openjdk-8), Mageia (exiv2, flash-player-plugin, python-waitress, and vim and neovim), openSUSE (pcp and rubygem-rack), Oracle (kernel), Red Hat (sudo), and Slackware (libarchive). --------------------------------------------- https://lwn.net/Articles/812389/ ∗∗∗ Security Bulletin: CVE-2019-4666 IBM UrbanCode Deploy (UCD) could allow a local user to obtain sensitive information by unmasking certain secure values in documents. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4666-ibm-urbanco… ∗∗∗ Security Bulletin: vulnerabilities in Nimbus JOSE+JWT affect IBM Watson Machine Learning Accelerator 1.2.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-nimbus… ∗∗∗ Security Bulletin: Authentication bypass in IBM Tivoli Monitoring Service console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-authentication-bypass-in-… ∗∗∗ Security Bulletin: OpenSSL vulnerability affects IBM Rational Team Concert ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2019-4666 IBM UrbanCode Build (UCB) could allow a local user to obtain sensitive information by unmasking certain secure values in documents. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-4666-ibm-urbanco… ∗∗∗ Security Bulletin: CVE-2019-0199 The HTTP/2 implementation in embded Apache Tomcat Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-0199-the-http-2-… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring Basic Services component (CVE-2019-15903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-bas… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.02.2020
by Daily end-of-shift report 12 Feb '20

12 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-02-2020 18:00 − Mittwoch 12-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Jenkins servers can be abused for DDoS attacks ∗∗∗ --------------------------------------------- DDoS attacks can reach an amplification factor of 100, but servers will crash very quickly. --------------------------------------------- https://www.zdnet.com/article/jenkins-servers-can-be-abused-for-ddos-attack… ===================== = Vulnerabilities = ===================== ∗∗∗ Intel Releases Security Updates ∗∗∗ --------------------------------------------- Intel has released security updates to address vulnerabilities in multiple products. * RWC3 Advisory INTEL-SA-00341 * MPSS Advisory INTEL-SA-00340 * RWC2 Advisory INTEL-SA-00339 * SGX SDK Advisory INTEL-SA-00336 * CSME Advisory INTEL-SA-00307 * Renesas Electronics USB 3.0 Driver Advisory INTEL-SA-00273 --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/02/11/intel-releases-sec… ∗∗∗ Patchday: Microsoft schließt Zero-Day-Lücke in Internet Explorer ∗∗∗ --------------------------------------------- Seit Januar gibt es Attacken auf Internet Explorer. Dem schiebt Microsoft nun einen Riegel vor. Außerdem gibt es Sicherheitsupdates für Windows & Co. --------------------------------------------- https://heise.de/-4658554 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (spice-gtk), Debian (libemail-address-list-perl), openSUSE (chromium, libqt5-qtbase, nginx, systemd, and wicked), Oracle (spice-gtk), Slackware (firefox and thunderbird), and Ubuntu (libexif and Yubico PIV Tool). --------------------------------------------- https://lwn.net/Articles/812293/ ∗∗∗ Red Hat OpenShift Service Mesh: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Die Red Hat OpenShift Container Platform bietet Unternehmen die Möglichkeit der Steuerung ihrer Kubernetes Umgebungen. Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift Service Mesh ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0120 ∗∗∗ 2020-02-12: Vulnerability in ABB Asset Suite - Direct Object Reference ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9962&Lan… ∗∗∗ 2020-02-12: Vulnerabilities in ABB eSOMS ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107492A9964&Lan… ∗∗∗ Wordpress Plugin: GDPR Cookie Consent < 1.8.3 - Improper Access Controls ∗∗∗ --------------------------------------------- https://wordpress.org/plugins/cookie-law-info/ ∗∗∗ Security Advisory - Dangling Pointer Reference Vulnerability in Some Huawei Firewall Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200212-… ∗∗∗ Security Advisory - Memory Leak Vulnerability in Some Firewall Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200212-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Firewall Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200212-… ∗∗∗ Security Advisory - Small OOB Read Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200212-… ∗∗∗ Security Advisory - Double Free Memory Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200212-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200212-… ∗∗∗ Security Advisory - Input Validation Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200212-… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites (CVE-2019-1552) impacting IBM Aspera High-Speed Transfer Server, Aspera High-Speed Transfer Endpoint, Aspera Desktop 3.9.1 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-cv… ∗∗∗ Security Bulletin: Security Vulnerability in Expat affects IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-in… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites (CVE-2019-1563, CVE-2019-1547) impacting IBM Aspera High-Speed Transfer Server 3.9.1, Aspera High-Speed Transfer Endpoint, Aspera Desktop Client 3.9.1 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-cv… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in OpenSSL Affect IBM Sterling Connect:Direct for HP NonStop ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect Rational Publishing Engine ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Controller 2020Q1 Security Updater: Multiple Security Vulnerabilities have been identified in IBM Cognos Controller ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-202… ∗∗∗ Security Bulletin: Curl vulnerabilities CVE-2019-5443 impact IBM Aspera High-Speed Transfer Server, IBM Aspera High-Speed Transfer Client, IBM Aspera Desktop Client 3.9.1 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-curl-vulnerabilities-cve-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera Desktop Client 3.9.1 and earlier (CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-im… ∗∗∗ Security Bulletin: OpenSSL vulnerabilites impacting Aspera High-Speed Transfer Server, Aspera Desktop Client 3.9.1 and earlier (CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilites-im… ∗∗∗ Red Hat Quay: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0119 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2020
by Daily end-of-shift report 11 Feb '20

11 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Montag 10-02-2020 18:00 − Dienstag 11-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake-Abmahnungen im Namen echter Kanzleien mit Schadsoftware ∗∗∗ --------------------------------------------- Zahlreiche Internet-UserInnen und Website-BetreiberInnen erhalten derzeit vermeintliche Abmahnschreiben wegen angeblicher Urheberrechtsverletzungen im Namen echter Anwaltskanzleien. Kriminelle geben sich beispielsweise als Kanzlei Böhmert und Böhmert oder Kanzlei Wilde Beuger Solmecke aus. Die Schreiben sind gefälscht und enthalten Downloadlinks mit gefährlicher Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/fake-abmahnungen-im-namen-echter-kan… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Framemaker (APSB20-04), Adobe Acrobat and Reader (APSB20-05), Adobe Flash Player (APSB20-06), Adobe Digital Edition (APSB20-07) and Adobe Experience Manager (APSB20-08). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1830 ∗∗∗ Mozilla Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Mozilla has released security updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/02/11/mozilla-releases-s… ∗∗∗ FortiAP-S/W2 system files overwrite through tcpdump CLI command ∗∗∗ --------------------------------------------- An improper input validation (CWE-20) vulnerability in FortiAP-S/W2 CLI admin console may allow unauthorized administrators to overwrite system files via specially crafted tcpdump CLI commands. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-298 ∗∗∗ FortiAP system command injection through ifconfig command ∗∗∗ --------------------------------------------- A system command injection vulnerability in the FortiAP CLI admin console may allow unauthorized administrators to run arbitrary system level commands via specially crafted ifconfig commands. --------------------------------------------- https://fortiguard.com/psirt/%20FG-IR-19-209 ∗∗∗ SAP Security Patch Day – February 2020 ∗∗∗ --------------------------------------------- On 11th of February 2020, SAP Security Patch Day saw the release of 13 Security Notes. There are 2 updates to previously released Patch Day Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=537788812 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (checkstyle), Fedora (poppler), Oracle (kernel), Red Hat (389-ds:1.4, java-1.7.1-ibm, java-1.8.0-ibm, nss-softokn, and spice-gtk), and Scientific Linux (spice-gtk). --------------------------------------------- https://lwn.net/Articles/812219/ ∗∗∗ Flaws in Accusoft ImageGear Expose Users to Remote Attacks ∗∗∗ --------------------------------------------- Critical vulnerabilities addressed in the Accusoft ImageGear library could be exploited by remote attackers to execute code on a victim machine, Cisco Talos’ security researchers report. read more --------------------------------------------- https://www.securityweek.com/flaws-accusoft-imagegear-expose-users-remote-a… ∗∗∗ SSA-986695 (Last Update: 2020-02-11): Information Disclosure Vulnerability in the OZW Web Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-986695.txt ∗∗∗ SSA-978558 (Last Update: 2020-02-11): Insufficient Logging Vulnerability in SIPORT MP ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-978558.txt ∗∗∗ SSA-974843 (Last Update: 2020-02-11): Denial-of-Service Vulnerability in SIPROTEC 4 and SIPROTEC Compact Relay Families ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-974843.txt ∗∗∗ SSA-951513 (Last Update: 2020-02-11): Clickjacking Vulnerability in SCALANCE X-300, X-200IRT, and X-200 Switch Families ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-951513.txt ∗∗∗ SSA-940889 (Last Update: 2020-02-11): Vulnerabilities in the embedded FTP server of SIMATIC CP 1543-1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-940889.txt ∗∗∗ SSA-780073 (Last Update: 2020-02-11): Denial-of-Service Vulnerability in PROFINET Devices via DCE-RPC Packets ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-780073.txt ∗∗∗ SSA-750824 (Last Update: 2020-02-11): Denial-of-Service Vulnerability in Profinet Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-750824.txt ∗∗∗ SSA-591405 (Last Update: 2020-02-11): Web Vulnerabilities in SCALANCE S-600 family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-591405.txt ∗∗∗ SSA-431678 (Last Update: 2020-02-11): Denial-of-Service Vulnerability in SIMATIC S7 CPU Families ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-431678.txt ∗∗∗ SSA-398519 (Last Update: 2020-02-11): Vulnerabilities in Intel CPUs (November 2019) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-398519.txt ∗∗∗ SSA-270778 (Last Update: 2020-02-11): Denial-of-Service Vulnerability in SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC Software ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-270778.txt ∗∗∗ SSA-978220 (Last Update: 2020-02-11): Denial-of-Service Vulnerability over SNMP in Multiple Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-978220.txt ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server (CVE-2020-2593, CVE-2020-2583, CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2020-2593, CVE-2020-2583, CVE-2019-4732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Content Navigator is vulnerable to Server Side Request Forgery (SSRF) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-navigator-is-… ∗∗∗ Symantec Endpoint Protection: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0111 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2020
by Daily end-of-shift report 10 Feb '20

10 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-02-2020 18:00 − Montag 10-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KBOT: sometimes they come back ∗∗∗ --------------------------------------------- We recently discovered malware that spread through injecting malicious code into Windows executable files; in other words, a virus. It is the first “living” virus in recent years that we have spotted in the wild. We named it KBOT. --------------------------------------------- https://securelist.com/kbot-sometimes-they-come-back/96157/ ∗∗∗ Emotet: Erster Hase-Igel-Loop für EmoCheck ∗∗∗ --------------------------------------------- Eine neue Emotet-Version machte ein erstes Update des Erkennungs-Tools EmoCheck fällig. --------------------------------------------- https://heise.de/-4656609 ∗∗∗ Dangerous Domain Corp.com Goes Up for Sale ∗∗∗ --------------------------------------------- As an early domain name investor, Mike OConnor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years OConnor refused to auction perhaps the most sensitive domain in his stable -- corp.com. --------------------------------------------- https://krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-for-s… ∗∗∗ Betrügerisches Raiffeisen SMS im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche HandynutzerInnen empfangen aktuell angeblich eine SMS von der Raiffeisenbank. Die Funktion pushTAN sei nicht aktiviert. Um das Problem zu beheben, werden Sie aufgefordert, einem Link zu folgen. Klicken Sie nicht auf den Link, Sie gelangen auf eine gefälschte Raiffeisen-Login-Seite. Kriminelle stehlen Ihre Zugangsdaten und Ihre Telefonnummer. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-raiffeisen-sms-im-um… ===================== = Vulnerabilities = ===================== ∗∗∗ Tutor LMS < 1.5.3 - Cross-Site Request Forgery (CSRF) ∗∗∗ --------------------------------------------- Tutor LMS WordPress plugin is vulnerable to Cross-Site Request Forgery (CSRF) attacks. --------------------------------------------- https://wpvulndb.com/vulnerabilities/10058 ∗∗∗ Geschlossene Lücke: Dell SupportAssist Client könnte Schadcode laden ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Dell SupportAssist for business PCs und Dell SupportAssist for home PCs. --------------------------------------------- https://heise.de/-4656474 ∗∗∗ Sicherheitsupdate: Wiki-Software Confluence unter Windows angreifbar ∗∗∗ --------------------------------------------- Angreifer könnten die Windows-Version von Confluence attackieren und sich gegebenenfalls höhere Nutzerrechte verschaffen. --------------------------------------------- https://heise.de/-4656770 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ipmitool, libexif, and ppp), Fedora (glib2, java-1.8.0-openjdk, java-11-openjdk, libasr, libuv, mingw-gdk-pixbuf, mingw-SDL2, nethack, nghttp2, nodejs, nodejs-mixin-deep, nodejs-set-value, nodejs-yarn, opensmtpd, python-feedgen, runc, samba, sox, and texlive-base), Mageia (chromium-browser-stable, mgetty, openslp, qtbase5, spamassassin, sudo, and xmlrpc), openSUSE (ceph and chromium), Oracle (grub2 and kernel), SUSE (docker-runc, LibreOffice, docker-runc, wicked), Ubuntu (libxml2, qtbase-opensource-src) --------------------------------------------- https://lwn.net/Articles/812118/ ∗∗∗ Security Advisory - Information Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200207-… ∗∗∗ Security Bulletin: Aspera Web Shares application is affected by NGINX Vulnerabilities (CVE-2018-16845, CVE-2018-16843, CVE-2019-7401) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-shares-applica… ∗∗∗ Security Bulletin: Aspera Web Applications (Faspex, Console, Shares) are affected by Apache Vulnerabilities (CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10098), ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-applications-f… ∗∗∗ Security Bulletin: Aspera Web Applications (Faspex, Console) are affected by Apache Vulnerabilities (CVE-2019-0196, CVE-2019-0197, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-applications-f… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (February 2020v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server January 2020 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Aspera Web Application (Faspex, Console, Orchestrator, Shares) are affected by Apache vulnerabilities (CVE-2019-9517, CVE-2019-10097) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-application-fa… ∗∗∗ Security Bulletin: Aspera Web Faspex application is affected by OpenSSL Vulnerability (CVE-2019-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aspera-web-faspex-applica… ∗∗∗ Security Bulletin: IBM Aspera WebApps (Shares, Faspex, Console, Orchestrator) and products are affected by OpenSSL Vulnerability (CVE-ID: CVE-2019-1543) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-webapps-shares… ∗∗∗ HPESBHF03978 rev.2 - HPE Superdome Flex Server, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2020
by Daily end-of-shift report 07 Feb '20

07 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-02-2020 18:00 − Freitag 07-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing Attack Disables Google Play Protect, Drops Anubis Trojan ∗∗∗ --------------------------------------------- Android users are targeted in a phishing campaign that will infect their devices with the Anubis banking Trojan that can steal financial information from more than 250 banking and shopping applications. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-attack-disables-goo… ∗∗∗ Robbin Hood – the ransomware that brings its own bug ∗∗∗ --------------------------------------------- When you need a vulnerability to exploit, but there isnt one... why not simply bring your own, along with your malware? --------------------------------------------- https://nakedsecurity.sophos.com/2020/02/07/robbin-hood-the-ransomware-that… ∗∗∗ Malware Emotet greift WLANs an ∗∗∗ --------------------------------------------- Emotet nutzt offenbar eine bislang nicht bekannte Methode, sich weiter auszubreiten: Er klinkt sich in schlecht gesicherte Funknetze ein. --------------------------------------------- https://heise.de/-4655284 ∗∗∗ Warnmails eines Sebastian Wulker sind Fake! ∗∗∗ --------------------------------------------- Vor allem Ein-Personen-Unternehmen, aber auch Privatpersonen erhalten momentan E-Mails im Namen eines angeblichen Sicherheitsforschers Sebastian Wulker. In diesen Mails wird behauptet, dass er im Rahmen seiner Arbeit auf die missbräuchliche Verwendung persönlicher Daten gestoßen ist und an ihn kontaktieren soll, um mehr zu erfahren, bevor er es an Strafverfolgungsbehörden weitergibt. Wer hier Kontakt aufnimmt, wird Schritt für Schritt in eine Erpressungsfalle gelockt, --------------------------------------------- https://www.watchlist-internet.at/news/warnmails-eines-sebastian-wulker-sin… ∗∗∗ Magecart Group 12’s Latest: Actors Behind Attacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign ∗∗∗ --------------------------------------------- A recent blog post by Jacob Pimental and Max Kersten highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020, olympictickets2020.com and eurotickets2020.com respectively. These sites were compromised by a skimmer using the domain opendoorcdn.com for data exfiltration. --------------------------------------------- https://www.riskiq.com/blog/labs/magecart-group-12-olympics/ ===================== = Vulnerabilities = ===================== ∗∗∗ Google: Bluetooth-Lücke in Android ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Mit den Februar-Updates für Android schließt Google eine Sicherheitslücke im Bluetooth-Stack, die das Ausführen von Code durch Angreifer ermöglicht. Dazu müssen diese nur in der Nähe der Geräte sein. Weitere Fehler in Android ermöglichen die Rechteausweitung. --------------------------------------------- https://www.golem.de/news/google-bluetooth-luecke-in-android-ermoeglicht-co… ∗∗∗ VoIP-Telefone: Schwere Sicherheitslücke bei Yealink entdeckt ∗∗∗ --------------------------------------------- Yealink versorgt Telefone weltweit mit VoIP-Zugangsdaten, Telefonbüchern und Anruferlisten. Im Autoprovisionierungsdienst des Herstellers klafft eine Lücke. --------------------------------------------- https://heise.de/-4654592 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, python-django, and sudo), Debian (libexif and libxmlrpc3-java), Fedora (upx and xar), openSUSE (ucl and upx), Oracle (ipa), Scientific Linux (kernel), SUSE (e2fsprogs, libqt5-qtbase, nginx, pcp, php7, rubygem-rack, systemd, wicked, and xen), and Ubuntu (mariadb-10.1, mariadb-10.3, mesa, pillow, and python-reportlab). --------------------------------------------- https://lwn.net/Articles/811880/ ∗∗∗ ClamAV: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/02/warn… ∗∗∗ Events Manager < 5.9.7.2 - CSV Injection ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10062 ∗∗∗ Events Manager Pro < 2.6.7.2 - CSV Injection ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10063 ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0106 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2020
by Daily end-of-shift report 06 Feb '20

06 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-02-2020 18:00 − Donnerstag 06-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Philips Hue: Kritische Sicherheitslücke in smarten Lampen ∗∗∗ --------------------------------------------- Hacker können mit einer Antenne das Netzwerk der User und damit verbundene Computer übernehmen. --------------------------------------------- https://futurezone.at/produkte/philips-hue-kritische-sicherheitsluecke-in-s… ∗∗∗ Fake browser update pages are "still a thing", (Wed, Feb 5th) ∗∗∗ --------------------------------------------- SocGholish is a term I first saw in signatures from the EmergingThreats Pro ruleset to describe fake browser update pages used to distribute malware like a NetSupport RAT-based malware package or Chthonic banking malware. Although this activity has continued into 2020, I hadn't run across an example until this week. --------------------------------------------- https://isc.sans.edu/diary/rss/25774 ∗∗∗ This crafty malware makes you retype your passwords so it can steal them ∗∗∗ --------------------------------------------- Metamorfo banking trojan has expanded its campaign to target online users banking services. --------------------------------------------- https://www.zdnet.com/article/this-crafty-malware-makes-you-retype-your-pas… ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB20-05) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB20-05) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, February 11, 2020. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well as the Adobe PSIRT Blog. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1828 ∗∗∗ Views Bulk Operations (VBO) - Moderately critical - Access bypass - SA-CONTRIB-2020-003 ∗∗∗ --------------------------------------------- Project: Views Bulk Operations (VBO)Date: 2020-February-05Security risk: Moderately critical 12∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: Views Bulk Operations provides enhancements to running bulk actions on views.The module contains an access bypass vulnerability that might allow users to execute views actions that they should not have access to. --------------------------------------------- https://www.drupal.org/sa-contrib-2020-003 ∗∗∗ Hintertür in vielen Überwachungskameras mit HiSilicon-Chips ∗∗∗ --------------------------------------------- Die Firmware zahlreicher IP-Kameras mit Systems-on-Chip (SoCs) der Huawei-Sparte HiSilicon erlaubt Root-Zugriff via telnet. --------------------------------------------- https://heise.de/-4654525 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel-rt, qemu-kvm, spamassassin, and Xorg), Debian (ruby-rack-cors), Fedora (glibc), openSUSE (ImageMagick), Oracle (ipa, kernel, and qemu-kvm), SUSE (systemd), and Ubuntu (exiv2, mbedtls, and systemd). --------------------------------------------- https://lwn.net/Articles/811678/ ∗∗∗ Auth0 < 3.11.3 - Unauthenticated Reflected XSS via wle Parameter ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10059 ∗∗∗ Ultimate Membership Pro < 8.6.1 - Multiple Critical Vulnerabilities ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10061 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WIoTP MessageGateway (CVE-2020-2604, CVE-2020-2659) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Windows installers of IBM Cloud CLI prior to 0.16.2 are signed using SHA1 certificate ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-windows-installers-of-ibm… ∗∗∗ Security Bulletin: Vulnerability of Embedded CF CLI In IBM Cloud CLI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-of-embedded… ∗∗∗ BIG-IP Edge Client for Windows vulnerability CVE-2020-5855 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55102004 ∗∗∗ BIG-IP TMM AWS vulnerability CVE-2020-5856 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00025388 ∗∗∗ BIG-IP TMM vulnerability CVE-2020-5854 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50046200 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0099 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0104 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2020
by Daily end-of-shift report 05 Feb '20

05 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-02-2020 18:00 − Mittwoch 05-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bitbucket Abused to Infect 500,000+ Hosts with Malware Cocktail ∗∗∗ --------------------------------------------- Attackers are abusing the Bitbucket code hosting service to store seven types of malware threats used in an ongoing campaign that has already claimed more than 500,000 business computers across the world. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bitbucket-abused-to-infect-5… ∗∗∗ Betrügerische WhatsApp-Nachrichten zu iPhone-Gewinn! ∗∗∗ --------------------------------------------- Kriminelle nützen momentan WhatsApp für die massenhafte Verbreitung einer Betrugsmasche. Sie versenden eine WhatsApp-Nachricht zu einem angeblichen Gewinn aus. Wer dem Link folgt und ein gratis iPhone erhalten möchte, muss die Nachricht an mindestens zehn WhatsApp-Kontakte weiterleiten. EmpfängerInnen dürfen weder Daten bekanntgeben noch die Nachricht weiterleiten. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-whatsapp-nachrichten-… ∗∗∗ Researcher: Backdoor mechanism still active in devices using HiSilicon chips ∗∗∗ --------------------------------------------- Researcher said he did not notify HiSilicon due to a lack of trust in the hardware vendor to adequately fix the issue. --------------------------------------------- https://www.zdnet.com/article/researcher-backdoor-mechanism-discovered-in-d… ===================== = Vulnerabilities = ===================== ∗∗∗ WhatsApp Bug Allowed Attackers to Access the Local File System ∗∗∗ --------------------------------------------- Facebook patched a critical WhatsApp vulnerability that would have allowed potential attackers to read files from a users local file system, on both macOS and Windows platforms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/whatsapp-bug-allowed-attacke… ∗∗∗ VU#261385: Cisco Discovery Protocol (CDP) enabled devices are vulnerable to denial-of-service and remote code execution ∗∗∗ --------------------------------------------- CVE-2020-3110 Ciscos Video Surveillance 8000 Series IP cameras with CDP enabled are vulnerable to a heap overflow in the parsing of DeviceID type-length-value(TLV). The CVSS score reflected below is in regards to this vulnerability. CVE-2020-3111 Cisco Voice over Internet Protocol(VoIP)phones with CDP enabled are vulnerable to a stack overflow in the parsing of PortID type-length-value(TLV). CVE-2020-3118 Ciscos CDP subsystem of devices running,or based on,Cisco IOS XR Software are vulnerable. --------------------------------------------- https://kb.cert.org/vuls/id/261385 ∗∗∗ AutomationDirect C-More Touch Panels ∗∗∗ --------------------------------------------- This advisory contains mitigations for an insufficiently protected credentials vulnerability in AutomationDirects C-More Touch Panels software management platform. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-035-01 ∗∗∗ Cisco Digital Network Architecture Center Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Digital Network Architecture (DNA) Center could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack on an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (storebackup), openSUSE (e2fsprogs and wicked), Red Hat (containernetworking-plugins, ipa, kernel, kernel-rt, ksh, and qemu-kvm), Scientific Linux (ipa and qemu-kvm), SUSE (libqt5-qtbase, python-reportlab, and terraform), and Ubuntu (graphicsmagick, OpenSMTPD, spamassassin, and sudo). --------------------------------------------- https://lwn.net/Articles/811597/ ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200205-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200205-… ∗∗∗ Security Advisory - Information leakage Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200205-… ∗∗∗ Security Advisory - Information leakage Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200205-… ∗∗∗ Security Bulletin: Information Disclosure in WebSphere Application Server Admin Console (CVE-2019-4670) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment Response Time Monitoring Agent (CVE-2019-16168) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server January 2020 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Automation Manager is affected by an issue with insecure cookie path attribute (CVE-2019-4616) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-automation-mana… ∗∗∗ Security Bulletin: IBM Planning Analytics Local is affected by a security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-lo… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2019-16168) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ systemd: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0096 ∗∗∗ MariaDB: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0095 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2020
by Daily end-of-shift report 04 Feb '20

04 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Montag 03-02-2020 18:00 − Dienstag 04-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New EmoCheck Tool Checks if Youre Infected With Emotet ∗∗∗ --------------------------------------------- A new utility has been released by Japan CERT (computer emergency response team) that allows Windows users to easily check if they are infected with the Emotet Trojan. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-emocheck-tool-checks-if-… ∗∗∗ Microsoft Office 365 Will Block Malicious Content Unless Overridden ∗∗∗ --------------------------------------------- Microsoft is currently working on new features designed to block malicious content in Office 365 regardless of the custom configurations set up by administrators or users unless manually overridden. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-office-365-will-bl… ∗∗∗ Sicherheitslücke in Twitters API: Telefonnummern abgreifbar ∗∗∗ --------------------------------------------- Durch die missbräuchliche Verwendung einer API von Twitter konnten Unbekannte Telefonnummern und Nutzernamen kombinieren und einsehen. --------------------------------------------- https://heise.de/-4652519 ∗∗∗ Zum schnellen Geld kommen? – So geht es nicht! ∗∗∗ --------------------------------------------- Vorsicht: Angebliche InvestorInnen, PhilanthropInnen oder UnternehmerInnen, die Ihnen hohe Geldbeträge versprechen, sind Kriminelle. E-Mails über angebliche Gewinne in Millionenhöhe werden massenhaft an beliebige E-Mail-Adressen versendet. Um das Geld zu erhalten, müssen Sie lediglich einen bestimmten Betrag – angeblich zur Abwicklung der Überweisung – und Ausweiskopien übermitteln. Tun Sie das, verlieren Sie nicht nur Ihr Geld, sondern auch Ihre [...] --------------------------------------------- https://www.watchlist-internet.at/news/zum-schnellen-geld-kommen-so-geht-es… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Web Security Appliance and Cisco Content Security Management Appliance HTTP Header Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the API Framework of Cisco AsyncOS for Cisco Web Security Appliance (WSA) and Cisco Content Security Management Appliance (SMA) could allow an unauthenticated, remote attacker to inject crafted HTTP headers in the web servers response.The vulnerability is due to insufficient validation of user input. An attacker could exploit this vulnerability by persuading a user to access a crafted URL and receive a malicious HTTP response. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Slow HTTP DoS Attacks Mitigation ∗∗∗ --------------------------------------------- An Uncontrolled Resource Consumption vulnerability in multiple products may allow an attacker to cause web service portal denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly. Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests in pieces slowly, one at a time to a Web server. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-19-013 ∗∗∗ Vulnerability Spotlight: Denial-of-service, information leak bugs in Mini-SNMPD ∗∗∗ --------------------------------------------- Multiple vulnerabilities exist in Mini-SNMPD, a lightweight implementation of a Simple Network Management Protocol server. An attacker can exploit these bugs by providing a specially crafted SNMPD request to the user. These vulnerabilities could lead to a variety of conditions, potentially resulting in the disclosure of sensitive information and a denial-of-service condition. --------------------------------------------- https://blog.talosintelligence.com/2020/02/vuln-spotlight-mini-snmpd-feb-20… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (salt), CentOS (git), Debian (qtbase-opensource-src), Fedora (java-11-openjdk), Mageia (kernel and openjpeg2), openSUSE (mailman, python-reportlab, ucl, and upx), Oracle (git), Red Hat (container-tools:rhel8, go-toolset:rhel8, grub2, kernel, kernel-rt, php:7.2, and sudo), SUSE (crowbar-core, crowbar-openstack, openstack-neutron-fwaas, rubygem-crowbar-client and python36), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/811495/ ∗∗∗ Medtronic Releases Patches for Cardiac Device Flaws Disclosed in 2018, 2019 ∗∗∗ --------------------------------------------- Medical device company Medtronic informed customers last week that it has released patches for some cardiac device vulnerabilities disclosed in 2018 and 2019. --------------------------------------------- https://www.securityweek.com/medtronic-releases-patches-cardiac-device-flaw… ∗∗∗ Portfolio Filter Gallery < 1.1.3 - CSRF & Reflected XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10057 ∗∗∗ Security Bulletin: A security vulnerability has been fixed in IBM Security Identity Manager (CVE-2019-4451) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a command execution vulnerability (CVE-2020-4163) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been addressed in IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite (CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Identity Manager Virtual Appliance is affected by multiple vulnerabilities (CVE-2019-4674, CVE-2018-15473, CVE-2019-4675) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-man… ∗∗∗ Security Bulletin: Vulnerability in Apache CXF affects WebSphere Application Server (CVE-2019-12406) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (January 2020v2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Android Security Bulletin Feburar 2020 ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0094 ∗∗∗ Squid: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0093 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2020
by Daily end-of-shift report 03 Feb '20

03 Feb '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-01-2020 18:00 − Montag 03-02-2020 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Devious Spamhaus Phishing Scam Warns Youre on an Email Block List ∗∗∗ --------------------------------------------- A new phishing campaign distributing malware pretends to be from the Spamhaus Project warning that the recipients email address has been added to a spam block list due to sending unsolicited email. --------------------------------------------- https://www.bleepingcomputer.com/news/security/devious-spamhaus-phishing-sc… ∗∗∗ Abo-Falle durch gefälschte E-Mail von „Zoll Österreich“ ∗∗∗ --------------------------------------------- Eine neue Massenmail landet momentan im Posteingang unzähliger InternetnutzerInnen. In der Nachricht von „Zoll Österreich“ heißt es, dass eine Zollgebühr nicht bezahlt wurde. Dem Inhalt der E-Mail darf kein Glauben geschenkt werden, denn sie wird von Kriminellen verschickt. Eine Dateneingabe führt hier in eine teure Abo-Falle für 90 Euro monatlich. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-durch-gefaelschte-e-mail-v… ∗∗∗ Hackers are hijacking smart building access systems to launch DDoS attacks ∗∗∗ --------------------------------------------- More than 2,300 building access systems can be hijacked due to a severe vulnerability left without a fix. --------------------------------------------- https://www.zdnet.com/article/hackers-are-hijacking-smart-building-access-s… ∗∗∗ Windows 10 PCs get these new Intel chip security updates for Zombieload attacks ∗∗∗ --------------------------------------------- Microsoft helps Intel deliver its latest microcode security updates to mitigate the Zombieload threat. --------------------------------------------- https://www.zdnet.com/article/windows-10-pcs-get-these-new-intel-chip-secur… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory 2020-01-31-1 - Opkg susceptible to MITM (CVE-2020-7982) ∗∗∗ --------------------------------------------- A bug in the package list parse logic of OpenWrts opkg fork caused the package manager to ignore SHA-256 checksums embedded in the signed repository index, effectively bypassing integrity checking of downloaded .ipk artifacts. --------------------------------------------- https://lists.infradead.org/pipermail/openwrt-devel/2020-January/021544.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (opensmtpd), Debian (firefox-esr, libidn2, libjackson-json-java, prosody-modules, qemu, qtbase-opensource-src, spamassassin, and sudo), Fedora (e2fsprogs, java-1.8.0-openjdk, mingw-openjpeg2, openjpeg2, samba, sox, upx, webkit2gtk3, and xar), Red Hat (git), Scientific Linux (git), Slackware (sudo), SUSE (ceph and rmt-server), and Ubuntu (sudo). --------------------------------------------- https://lwn.net/Articles/811368/ ∗∗∗ Strong Testimonials < 2.40.1 - Stored Cross Site Scripting (XSS) ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10056 ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a WebSphere Application Server vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Vulnerabilities affect Watson Explorer Foundational Components (CVE-2019-1563, CVE-2019-1549, CVE-2019-1547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-affect-wa… ∗∗∗ Security Bulletin: IBM API Connect is impacted by vulnerabilities in Golang (CVE-2019-17596) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a WebSphere Application Server vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: Information Disclosure in IBM StoredIQ (CVE-2020-4224) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WAS vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by multiple vulnerabilities in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is affected by several WebSphere Application Server vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2020
by Daily end-of-shift report 31 Jan '20

31 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-01-2020 18:00 − Freitag 31-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Detects New Evil Corp Malware Attacks After Short Break ∗∗∗ --------------------------------------------- Microsoft says that an ongoing Evil Corp phishing campaign is using attachments featuring HTML redirectors for delivering malicious Excel documents, this being the first time the threat actors have been seen adopting this technique. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-detects-new-evil-c… ∗∗∗ Researcher Finds Over 60 Vulnerabilities in Physical Security Systems ∗∗∗ --------------------------------------------- The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory to warn users of Honeywell’s MAXPRO video management system (VMS) and network video recorder (NVR) products that Austria-based researcher Joachim Kerschbaumer had identified two serious vulnerabilities that could allow hackers to take control of affected systems. --------------------------------------------- https://www.securityweek.com/researcher-finds-over-60-vulnerabilities-physi… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsolv, libxmlrpc3-java, openjpeg2, qemu, and suricata), Fedora (ansible, chromium, java-latest-openjdk, links, mingw-openjpeg2, nss, openjpeg2, python-pillow, thunderbird, webkit2gtk3, and xen), Mageia (gdal, java-1.8.0-openjdk, mariadb, openjpeg2, and sqlite3), Oracle (kernel), Red Hat (rh-java-common-xmlrpc), SUSE (e2fsprogs, ImageMagick, php72, tigervnc, and wicked), and Ubuntu (keystone). --------------------------------------------- https://lwn.net/Articles/811199/ ∗∗∗ GistPress < 3.0.2 - Authenticated Stored XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10053 ∗∗∗ Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to a denial of service attack caused by specially constructed messages. (CVE-2019-4432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-and-ibm-mq-applian… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a denial of service (CVE-2019-4720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a information disclosure vulnerability in WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… ∗∗∗ Security Bulletin: Security vulnerabilities in the jackson-databind routines fixed in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has released Unified Extensible Firmware Interface (UEFI) fixes in response to Intel escalation of privilege vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-released-unified-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2020
by Daily end-of-shift report 30 Jan '20

30 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-01-2020 18:00 − Donnerstag 30-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Network Traffic Analysis for IR: SSH Protocol with Wireshark ∗∗∗ --------------------------------------------- Introduction to the SSH protocol The Secure Shell (SSH) is designed to allow confidential and authenticated remote access to a computer. Like the Telnet protocol, it enables a user to remotely access a command shell on a machine, run commands and access the results. However, unlike Telnet, SSH traffic is fully encrypted, making it the [...] --------------------------------------------- https://resources.infosecinstitute.com/network-traffic-analysis-for-ir-ssh-… ∗∗∗ Collating Hacked Data Sets ∗∗∗ --------------------------------------------- Two Harvard undergraduates completed a project where they went out on the Dark Web and found a bunch of stolen datasets. Then they correlated all the information, and then combined it with additional, publicly available information. No surprise: the result was much more detailed and personal."What we were able to do is alarming because we can now find vulnerabilities in peoples online presence very quickly," Metropolitansky said. --------------------------------------------- https://www.schneier.com/blog/archives/2020/01/collating_hacke.html ∗∗∗ Microsoft Azure Flaws Could Have Let Hackers Take Over Cloud Servers ∗∗∗ --------------------------------------------- Cybersecurity researchers at Check Point today disclosed details of two recently patched potentially dangerous vulnerabilities in Microsoft Azure services that, if exploited, could have allowed hackers to target several businesses that run their web and mobile apps on Azure. Azure App Service is a fully-managed integrated service that enables users to create web and mobile apps for any --------------------------------------------- https://thehackernews.com/2020/01/microsoft-azure-vulnerabilities.html ===================== = Vulnerabilities = ===================== ∗∗∗ Privilege escalation in Bitdefender Antivirus for Mac (VA-3499) ∗∗∗ --------------------------------------------- A privilege escalation vulnerability in BDLDaemon as used in Bitdefender Antivirus for Mac allows a local attacker to obtain authentication tokens for requests submitted to the Bitdefender Cloud. --------------------------------------------- https://www.bitdefender.com/support/security-advisories/privilege-escalatio… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick, opensmtpd, webkit2gtk, wget, and zlib), openSUSE (apt-cacher-ng, GraphicsMagick, java-1_8_0-openjdk, mailman, mumble, rubygem-excon, sarg, and shadowsocks-libev), Oracle (libarchive and openjpeg2), Red Hat (firefox, fribidi, openjpeg2, SDL, and thunderbird), Scientific Linux (openjpeg2), SUSE (glibc, java-1_8_0-openjdk, and rmt-server), and Ubuntu (Apache Solr and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/811025/ ∗∗∗ Elementor Page Builder < 2.7.6 - Authenticated Stored XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10052 ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability (CVE-2019-3815) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability (CVE-2018-15473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Security vulnerabilities in the jackson-databind routines fixed in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability (CVE-2018-11214, CVE-2018-11213, CVE-2018-11212) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – July 2019 and October 2019 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability (CVE-2019-11479, CVE-2019-11478, CVE-2019-11477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to security vulnerability (CVE-2018-12404) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2020
by Daily end-of-shift report 29 Jan '20

29 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-01-2020 18:00 − Mittwoch 29-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Critical Flaws in Magento e-Commerce Platform Allow Code-Execution ∗∗∗ --------------------------------------------- Admins are encouraged to update their websites to stave off attacks from Magecart card-skimmers and others. --------------------------------------------- https://threatpost.com/critical-flaws-magento-ecommerce-code-execution/1523… ∗∗∗ New Snake Ransomware Targets ICS Processes ∗∗∗ --------------------------------------------- A recently uncovered piece of file-encrypting ransomware, which some believe may be linked to Iran, has been targeting processes and files associated with industrial control systems (ICS). --------------------------------------------- https://www.securityweek.com/new-snake-ransomware-targets-ics-processes ∗∗∗ Attacker’s Tactics and Techniques in Unsecured Docker Daemons Revealed ∗∗∗ --------------------------------------------- We found an additional 1,400 unsecured Docker hosts and outline in this research some of the common tactics and techniques we found being used by attackers in compromised Docker engines. --------------------------------------------- https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-uns… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in OpenSMTPD erlaubt(e) Codeausführung aus der Ferne ∗∗∗ --------------------------------------------- BSD- und Linux-Server, auf denen OpenSMTPD läuft, brauchen umgehend ein Update auf Version 6.6.2p1. Es fixt eine kritische Remote-Code-Execution-Lücke. --------------------------------------------- https://heise.de/-4648501 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- Router der Firma D-LINK enthalten eine Firewall und in der Regel eine WLAN-Schnittstelle. Die Geräte sind hauptsächlich für private Anwender und Kleinunternehmen konzipiert. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/01/warn… ∗∗∗ 200K WordPress Sites Exposed to Takeoker Attacks by Plugin Bug ∗∗∗ --------------------------------------------- A high severity cross-site request forgery (CSRF) bug allows attackers to take over WordPress sites running an unpatched version of the Code Snippets plugin because of missing referer checks on the import menu. --------------------------------------------- https://www.bleepingcomputer.com/news/security/200k-wordpress-sites-exposed… ∗∗∗ Apple Releases Multiple Security Updates ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates: tvOS 13.3.1 Safari 13.0.5 iOS 13.3.1 and iPadOS 13.3.1 macOS Catalina 10.15.3, [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/01/28/apple-releases-mul… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (apache-commons-beanutils, java-1.8.0-openjdk, libarchive, openjpeg2, openslp, python-reportlab, and sqlite), Debian (hiredis, otrs2, and unzip), openSUSE (apt-cacher-ng, git, samba, sarg, and storeBackup), Oracle (openjpeg2), Red Hat (libarchive, openjpeg2, sqlite, and virt:rhel), SUSE (aws-cli and python-reportlab), and Ubuntu (libgcrypt11, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-hwe, linux-hwe, linux-aws-hwe, [...] --------------------------------------------- https://lwn.net/Articles/810881/ ∗∗∗ FreeBSD OS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0080 ∗∗∗ Cisco Small Business Switches Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business Switches Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabiltiies in PHP. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-bladecenter-advanced-… ∗∗∗ Security Bulletin: WebSphere Application Server browser stack trace vulnerability affects IBM Control Center (CVE-2019-4441) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: WebSphere Application Server improper cookie setting vulnerability affects IBM Control Center (CVE-2019-4305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: Websphere denial-of-service vulnerability affects IBM Control Center (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-denial-of-servi… ∗∗∗ Security Bulletin: Multiple security vulnerabilities were fixed in IBM Security Access Manager Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Java Vulnerability Impacts IBM Control Center (CVE-2019-2989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-vulnerability-impact… ∗∗∗ Security Bulletin: Multiple Websphere to HTTP2 implementation vulnerabilities affect IBM Control Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-websphere-to-htt… ∗∗∗ Security Bulletin: IBM WebSphere Application Server – Liberty improper session validation vulnerability affects IBM Control Center (CVE-2019-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Multiple security vulnerabilities were fixed in IBM Security Access Manager Appliance (CVE-2019-3861, CVE-019-3858) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in Apache PDFBox Affects IBM Control Center (CVE-2019-0228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-p… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2020
by Daily end-of-shift report 28 Jan '20

28 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Montag 27-01-2020 18:00 − Dienstag 28-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken: L1DES und VRS machen Intel-Chips angreifbar ∗∗∗ --------------------------------------------- Neue Attacken per Microarchitectural Data Sampling (MDS) treffen Intel-Prozessoren: Bei L1DES alias Cache Out ist der L1-Puffer das Ziel, bei VRS werden Vector-Register ausgenutzt. Intel arbeitet an Microcode-Updates. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-l1des-und-vrs-machen-intel-chi… ∗∗∗ Millions of Devices Using LoRaWAN Exposed to Hacker Attacks ∗∗∗ --------------------------------------------- Millions of devices deployed across a wide range of sectors could be exposed to hacker attacks due to security issues associated with the use of LoRaWAN, cybersecurity firm IOActive warned on Tuesday. --------------------------------------------- https://www.securityweek.com/millions-devices-using-lorawan-exposed-hacker-… ∗∗∗ Umfrage führt zu Geldwäsche in Ihrem Namen! ∗∗∗ --------------------------------------------- Auf diversen Job-Portalen stoßen Sie momentan auf Ausschreibungen betrügerischer Umfrageportale wie die HENRIKSON Research GmbH. Schon bei der Registrierung verlangt man Ihre Ausweiskopie sowie Selfies mit Pass oder Personalausweis. Melden Sie sich hier nicht an! Kriminelle stehlen Ihre Daten und tarnen die Eröffnung eines Bankkontos in Ihrem Namen als bezahlte Umfrage. Achtung: Auch diverse andere Websites locken in diese Falle. --------------------------------------------- https://www.watchlist-internet.at/news/umfrage-fuehrt-zu-geldwaesche-in-ihr… ∗∗∗ E-Mail: Doppelte Abbuchung Ihrer Magenta-Rechnung ist Fake ∗∗∗ --------------------------------------------- „Aufgrund eines Fehlers unserer Rechnungsabteilung wurde Ihnen das Doppelte Ihrer letzten Rechnung in Rechnung gestellt“ heißt es in der betrügerischen E-Mail, die angeblich von Magenta versendet wurde. Sie werden weiters aufgefordert, eine Rückerstattung zu beantragen. Klicken Sie keinesfalls auf den Link, Sie gelangen auf eine gefälschte Magenta-Seite. Kriminelle stehlen Ihre Zugangs- und Kreditkartendaten. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-doppelte-abbuchung-ihrer-mage… ∗∗∗ Attacking Azure, Azure AD, and Introducing PowerZure ∗∗∗ --------------------------------------------- Over the past decade, Azure’s presence in businesses has grown significantly as new features and support were added to Azure. The purpose of this article is to cover three main points: 1. Explain the components of Azure and how they fit into a modern IT environment. 2. Explain how certain things within Azure can be leveraged from an offensive perspective. 3. Introduce the PowerZure project and explain how it helps offensive operations against Azure. --------------------------------------------- https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerz… ===================== = Vulnerabilities = ===================== ∗∗∗ [20200103] - Core - XSS in com_actionlogs ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: High Severity: Low Versions: 3.9.0-3.9.14 Exploit type: XSS Reported Date: 2019-December-25 Fixed Date: 2020-January-28 CVE Number: CVE-2020-xxxxx Description Inadequate escaping of usernames allow XSS attacks in com_actionlogs. Affected Installs Joomla! CMS versions 3.9.0 - 3.9.14 Solution Upgrade to version 3.9.15 Contact The JSST at the Joomla! Security Centre. Reported By: Mayank Kumbhar from Techjoomla --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/12kRPDhkkFM/800-20200103-c… ∗∗∗ [20200102] - Core - CSRF com_templates LESS compiler ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: High Severity: Low Versions: 3.0.0-3.9.14 Exploit type: CSRF Reported Date: 2019-December-18 Fixed Date: 2020-January-28 CVE Number: CVE-2020-xxxxx Description A missing CSRF token check in the LESS compiler of com_templates causes a CSRF vulnerability. Affected Installs Joomla! CMS versions 3.0.0 - 3.9.14 Solution Upgrade to version 3.9.15 Contact The JSST at the Joomla! Security Centre. Reported By: Lee Thao from Viettel Cyber Security --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/gs3oN6Illx8/799-20200102-c… ∗∗∗ [20200101] - Core - CSRF in batch actions ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 3.0.0-3.9.14 Exploit type: CSRF Reported Date: 2019-December-23 Fixed Date: 2020-January-28 CVE Number: CVE-2020-xxxxx Description Missing token checks in the batch actions of various components causes CSRF vulnerabilities. Affected Installs Joomla! CMS versions 3.0.0 - 3.9.14 Solution Upgrade to version 3.9.15 Contact The JSST at the Joomla! Security Centre. Reported By: Lee Thao from Viettel Cyber Security --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/9zV9kdB-WAw/798-20200101-c… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (iperf3, openjpeg2, and tomcat7), Mageia (ansible, c3p0, fontforge, glpi, gthumb, libbsd, libmediainfo, libmp4v2, libqb, libsass, mbedtls, opencontainers-runc, php, python-pip, python-reportlab, python3, samba, sysstat, tomcat, virtualbox, and webkit2), openSUSE (java-11-openjdk, libredwg, and sarg), Oracle (sqlite), Red Hat (libarchive, nss, and openjpeg2), Scientific Linux (sqlite), SUSE (nodejs6), and Ubuntu (cyrus-sasl2, linux, linux-aws, linux, [...] --------------------------------------------- https://lwn.net/Articles/810771/ ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by OpenSSL vulnerabilities (CVE-2018-0734 and CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: An Apache Commons Compress vulnerability has been identified with the embedded IBM FileNet P8 Content Platform Engine component in IBM Business Process Manager and IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-apache-commons-compres… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an OpenSSH vulnerability (CVE-2018-15473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-ze ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vyatta-5600-vrouter-softw… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by HTTP/2 vulnerabilities (CVE-2019-9511 and CVE-2019-9513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: A security vulnerability was fixed in IBM Security Access Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In WebSphere Application Server ND shipped with IBM Security Identity Manager (CVE-2019-4505) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2020
by Daily end-of-shift report 27 Jan '20

27 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-01-2020 18:00 − Montag 27-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ DIVD-2020-00002 - Wildcard certificates Citrix ADC ∗∗∗ --------------------------------------------- Our analysis of the scan data collected on the night of January 9 to 10 shows that of the more than 700 vulnerable Citrix servers identified in the Netherlands, over 450 used wildcard certificates. [...] Recommendation: Revoke and replace certificates (preferably for non-wildcard versions) unless you can reliable determine that the Citrix system wasn't compromised. --------------------------------------------- https://www.securitymeldpunt.nl/cases/DIVD-2020-00002/ ∗∗∗ Mitsubishi-Hack: Sicherheitslücke in Anti-Viren-Software als Einfallstor ∗∗∗ --------------------------------------------- Es gibt neue Details über die Hacker-Attacke auf Mitsubishi Electric. Mittlerweile ist die Sicherheitslücke bekannt und was die Angreifer kopiert haben. --------------------------------------------- https://heise.de/-4646386 ∗∗∗ Potenziell schädlich: Mozilla löscht 197 Add-ons für Firefox ∗∗∗ --------------------------------------------- Mozilla hat insgesamt 197 Add-ons für Firefox gelöscht, die potenziell schädlich waren. Die meisten stammten vom selben Anbieter. --------------------------------------------- https://heise.de/-4646392 ∗∗∗ New Ryuk Info Stealer Targets Government and Military Secrets ∗∗∗ --------------------------------------------- A new version of the Ryuk Stealer malware has been enhanced to allow it to steal a greater amount of confidential files related to the military, government, financial statements, banking, and other sensitive data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-target… ∗∗∗ Does Your Domain Have a Registry Lock? ∗∗∗ --------------------------------------------- If youre running a business online, few things can be as disruptive or destructive to your brand as someone stealing your companys domain name and doing whatever they wish with it. Even so, most major Web site owners arent taking full advantage of the security tools available to protect their domains from being hijacked. Heres the story of one recent victim who was doing almost everything possible to avoid such a situation and still had a key domain stolen by scammers. --------------------------------------------- https://krebsonsecurity.com/2020/01/does-your-domain-have-a-registry-lock/ ∗∗∗ PoC Exploits Created for Recently Patched BlueGate Windows Server Flaws ∗∗∗ --------------------------------------------- Proof-of-concept (PoC) exploits have been released for two recently patched Remote Desktop Gateway vulnerabilities that can be exploited for remote code execution. --------------------------------------------- https://www.securityweek.com/poc-exploits-created-recently-patched-bluegate… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jsoup and slirp), Fedora (community-mysql, elog, fontforge, libuv, libvpx, mingw-podofo, nodejs, opensc, podofo, thunderbird-enigmail, transfig, and xfig), openSUSE (arc, libssh, and libvpx), Red Hat (git, java-1.8.0-openjdk, java-11-openjdk, python-reportlab, and sqlite), Slackware (thunderbird), and SUSE (java-1_8_0-openjdk, python, and samba). --------------------------------------------- https://lwn.net/Articles/810614/ ∗∗∗ Fortinet removes SSH and database backdoors from its SIEM product ∗∗∗ --------------------------------------------- Patches have been released for CVE-2019-17659 and CVE-2019-16153. --------------------------------------------- https://www.zdnet.com/article/fortinet-removes-ssh-and-database-backdoors-f… ∗∗∗ Linux kernel vulnerability CVE-2019-19069 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K60130614 ∗∗∗ WPS Hide Login < 1.5.5 - Secret Login Page Disclosure ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10046 ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2019-4638) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Watson IoT MessageGateway Server is affected by a buffer overflow vulnerability (CVE-2020-4207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-iot-messagegat… ∗∗∗ Security Bulletin: Vulnerability in IBM Websphere Application Server Liberty used by IBM Cloud Pak System (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-webs… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2019-4639) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2019-4632) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Secret Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2019-4637) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by converting an invalid message. (CVE-2019-4614) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: A Security Vulnerability Has Been Identified In IBM Security Secret Server (CVE-2019-4635) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Overly Permissive CORS Policy vulnerability found on IBM Security Secret Server (CVE-2019-4633) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-overly-permissive-cors-po… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2020
by Daily end-of-shift report 24 Jan '20

24 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-01-2020 18:00 − Freitag 24-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TrickBot Now Steals Windows Active Directory Credentials ∗∗∗ --------------------------------------------- A new module for the TrickBot trojan has been discovered that targets the Active Directory database stored on compromised Windows domain controllers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-… ∗∗∗ NSA Releases Guidance on Mitigating Cloud Vulnerabilities ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released an information sheet with guidance on mitigating cloud vulnerabilities. NSA identifies cloud security components and discusses threat actors, cloud vulnerabilities, and potential mitigation measures. The Cybersecurity and Infrastructure Security Agency (CISA) encourages administrators and users to review NSAs guidance on Mitigating Cloud Vulnerabilities and CISA’s page on APTs Targeting IT Service [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/01/24/nsa-releases-guida… ∗∗∗ Kaspersky: Shlayer-Trojaner und Adware häufigste Bedrohungen für Mac-Nutzer ∗∗∗ --------------------------------------------- Shlayer wird auch über Links auf großen Seiten wie YouTube und Wikipedia verbreitet, warnt die Sicherheitsfirma. Der Trojaner schleuste bislang nur Adware ein. --------------------------------------------- https://heise.de/-4645548 ∗∗∗ Hackers target unpatched Citrix servers to deploy ransomware ∗∗∗ --------------------------------------------- REvil ransomware gang has been spotted abusing Citrix bug to infect victims. --------------------------------------------- https://www.zdnet.com/article/hackers-target-unpatched-citrix-servers-to-de… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Cisco Webex Meetings Suite sites and Cisco Webex Meetings Online sites could allow an unauthenticated, remote attendee to join a password-protected meeting without providing the meeting password. The connection attempt must initiate from a Webex mobile application for either iOS or Android. The vulnerability is due to unintended meeting information exposure in a specific meeting join flow for mobile applications. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Fixes now available for Citrix ADC, Citrix Gateway versions 12.1 and 13.0 ∗∗∗ --------------------------------------------- Today, we released permanent fixes to address the CVE-2019-19781 vulnerability for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 12.1 and 13.0. These fixes are available to download for ADC and Gateway. --------------------------------------------- https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-… ∗∗∗ MDhex: Angreifer könnten medizinische Geräte von GE Healthcare kontrollieren ∗∗∗ --------------------------------------------- Aufgrund von unsicheren Standardeinstellungen und veralteter Software mit Sicherheitslücken ist die Überwachung von Patienten gefährdet. --------------------------------------------- https://heise.de/-4645197 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git and python-apt), Oracle (openslp), Red Hat (chromium-browser and ghostscript), SUSE (samba, slurm, and tomcat), and Ubuntu (clamav, gnutls28, and python-apt). --------------------------------------------- https://lwn.net/Articles/810459/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2020-0001 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-8835 Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before 2.26.3. Credit to Anonymous working with Trend Micro’s Zero Day Initiative, Mike Zhang of Pangu Team. Impact: Processing maliciously crafted web content may lead toarbitrary code execution. --------------------------------------------- https://webkitgtk.org/security/WSA-2020-0001.html ∗∗∗ wpCentral < 1.4.8 - Privilege Escalation ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10045 ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by multiple OpenSSL vulnerabilities (CVE-2019-1547,CVE-2019-1549, CVE-2019-1563) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by NSS and libgcrypt vulnerabilities (CVE-2018-12404 and CVE-2018-0495) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an MIT Kerberos 5 vulnerability (CVE-2017-11462) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an unauthorised access vulnerability (CVE-2019-4621) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM MQ Appliance could allow a local attacker to bypass security restrictions (CVE-2019-4620) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-could-al… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2019-1552 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: CVE-2019-2989 vulnerabilitiy in IBM Java Runtime affects IBM Process Designer used in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-2989-vulnerabili… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2020
by Daily end-of-shift report 23 Jan '20

23 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-01-2020 18:00 − Donnerstag 23-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Datenleck: Microsoft-Datenbank mit 250 Millionen Support-Fällen im Netz ∗∗∗ --------------------------------------------- Rund einen Monat konnte auf eine Datenbank des Microsoft-Supports über das Internet zugegriffen werden. Die Fälle reichen bis in das Jahr 2005 zurück. --------------------------------------------- https://www.golem.de/news/datenleck-microsoft-datenbank-mit-250-millionen-s… ∗∗∗ Datenleck bei Autovermietung Buchbinder: Was Betroffene jetzt tun können ∗∗∗ --------------------------------------------- Auskunftsansprüche, Meldepflichten oder sogar Schadensersatz: Was können die drei Millionen Betroffenen unternehmen und welche Rechte stehen ihnen zu? --------------------------------------------- https://heise.de/-4644140 ===================== = Vulnerabilities = ===================== ∗∗∗ Keine Anmeldung nötig - Angreifer könnten Cisco Firepower übernehmen ∗∗∗ --------------------------------------------- Es sind Sicherheitsupdates für verschiedene Cisco-Produkte erschienen. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-4644474 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (chromium, libredwg, and thunderbird), Oracle (apache-commons-beanutils, java-1.8.0-openjdk, libarchive, and python-reportlab), Red Hat (kernel), Scientific Linux (apache-commons-beanutils, libarchive, and openslp), SUSE (java-11-openjdk), and Ubuntu (e2fsprogs, graphicsmagick, python-apt, and zlib). --------------------------------------------- https://lwn.net/Articles/810367/ ∗∗∗ PHP: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0067 ∗∗∗ Calculated Fields Form < 1.0.354 - Authenticated Stored XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10043 ∗∗∗ SpamSpan filter - Moderately critical - Cross site scripting - SA-CONTRIB-2020-002 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2020-002 ∗∗∗ Security Bulletin: A security vulnerability has been identified in OpenCV shipped with PowerAI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in OpenSSH (CVE-2018-15919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-management… ∗∗∗ Security Bulletin: A security vulnerability has been identified in lodash shipped with PowerAI. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Information Queue uses database components with known vulnerabilities (CVE-2016-3506, CVE-2018-1058, CVE-2018-10936, CVE-2019-9193) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-information-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2020
by Daily end-of-shift report 22 Jan '20

22 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-01-2020 18:00 − Mittwoch 22-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Actively Exploited IE 11 Zero-Day Bug Gets Temporary Patch ∗∗∗ --------------------------------------------- A micropatch implementing Microsofts workaround for the actively exploited zero-day remote code execution (RCE) vulnerability impacting Internet Explorer is now available via the 0patch platform until an official fix will be released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/actively-exploited-ie-11-zer… ∗∗∗ sLoad launches version 2.0, Starslord ∗∗∗ --------------------------------------------- sLoad has launched version 2.0. With the new version, sLoad, which is a PowerShell-based Trojan downloader notable for its almost exclusive use of the Windows BITS service for malicious activities, has added an anti-analysis trick and the ability to track the stage of infection for every affected machine. --------------------------------------------- https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2… ∗∗∗ FireEye and Citrix Tool Scans for Indicators of Compromise Related to CVE-2019-19781 ∗∗∗ --------------------------------------------- [...] To help organizations identify compromised systems associated with CVE-2019-19781, FireEye and Citrix worked together to release a new tool that searches for indicators of compromise (IoC) associated with attacker activity observed by FireEye Mandiant. This tool is freely accessible in both the Citrix and FireEye GitHub repositories. --------------------------------------------- https://www.fireeye.com/blog/products-and-services/2020/01/fireeye-and-citr… ∗∗∗ Aktuelle Welle: Ursnif-Trojaner versteckt sich in Zip-Archiven ∗∗∗ --------------------------------------------- Derzeit sind mal wieder vermehrt E-Mails mit gefährlichem Dateianhang in Umlauf. Der Schädling namens Ursnif hat es unter anderem auf Account-Daten abgesehen. --------------------------------------------- https://heise.de/-4643571 ∗∗∗ Achtung: Gekaperte WhatsApp-Kontakte verlangen Verifizierungscode ∗∗∗ --------------------------------------------- Einige WhatsApp-UserInnen berichten von eigenen Kontakten, die per WhatsApp einen Verifizierungscode verlangen. Die Profile dieser Kontakte wurden bereits über die gleiche Betrugsmasche übernommen. Wer auf die Nachrichten der vermeintlichen Bekannten und Familienmitglieder mit den angeforderten Codes antwortet, verliert das eigene WhatsApp-Profil an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-gekaperte-whatsapp-kontakte-… ∗∗∗ In enterprise attack wave, NetWire Trojan now buries itself in disk image files ∗∗∗ --------------------------------------------- Enterprise companies are being targeted by a business email scam harnessing the Trojan. --------------------------------------------- https://www.zdnet.com/article/in-new-enterprise-attack-wave-netwire-rat-tro… ===================== = Vulnerabilities = ===================== ∗∗∗ Honeywell Maxpro VMS & NVR ∗∗∗ --------------------------------------------- This advisory contains mitigations for deserialization of untrusted data and SQL injection vulnerabilities in Honeywells MAXPRO VMS & NVR video management systems. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-021-01 ∗∗∗ Bitdefender BOX 2 bootstrap download_image command injection vulnerability ∗∗∗ --------------------------------------------- An exploitable command injection vulnerability exists in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/download_image unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. An unauthenticated attacker should impersonate a remote nimbus server to trigger this vulnerability. --------------------------------------------- https://talosintelligence.com/vulnerability_reports/TALOS-2019-0919 ∗∗∗ Sicherheitsupdate: AMD-Treiber und VMware können ein gefährlicher Cocktail sein ∗∗∗ --------------------------------------------- Angreifer könnten mit einem präparierten Pixel Shader eine AMD-Treiber-Lücke ausnutzen, um aus einer VM auszubrechen. --------------------------------------------- https://heise.de/-4643294 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff and transfig), Fedora (thunderbird-enigmail), Mageia (ffmpeg and sox), openSUSE (fontforge, python3, and tigervnc), Oracle (python-reportlab), Red Hat (apache-commons-beanutils, java-1.8.0-openjdk, kernel, kernel-alt, libarchive, openslp, openvswitch2.11, openvswitch2.12, and python-reportlab), Scientific Linux (java-1.8.0-openjdk and python-reportlab), SUSE (samba and tigervnc), and Ubuntu (python-pysaml2). --------------------------------------------- https://lwn.net/Articles/810282/ *** Cisco Security Advisories *** --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ IBM Security Bulletins (High Severity) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/tag/psirthigh/ ∗∗∗ Security Bulletin: IBM Integration Bus Hyper visor Edition V9.0 require customer action for security vulnerabilities in Red Hat Linux ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-hyper… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in Several Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200122-… ∗∗∗ Security Advisory - Two Integer Overflow Vulnerabilities in LDAP of Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200115-… ∗∗∗ Security Advisory - Insufficient Verification Vulnerability in Some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200122-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2020
by Daily end-of-shift report 21 Jan '20

21 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Montag 20-01-2020 18:00 − Dienstag 21-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SIM Hijacking ∗∗∗ --------------------------------------------- SIM hijacking -- or SIM swapping -- is an attack where a fraudster contacts your cell phone provider and convinces them to switch your account to a phone that they control. Since your smartphone often serves as a security measure or backup verification system, this allows the fraudster to take over other accounts of yours. Sometimes this involves people inside the phone companies. Phone companies have added security measures since this attack became popular and public, but a new study [...] --------------------------------------------- https://www.schneier.com/blog/archives/2020/01/sim_hijacking.html ∗∗∗ Realistic Factory Honeypot Shows Threats Faced by Industrial Organizations ∗∗∗ --------------------------------------------- Trend Micro researchers have set up a factory honeypot and found that industrial organizations should be more concerned about attacks launched by profit-driven cybercriminals rather than the threat posed by sophisticated state-sponsored groups. --------------------------------------------- https://www.securityweek.com/realistic-factory-honeypot-shows-threats-faced… ∗∗∗ Vorsicht vor betrügerischen Microsoft-Anrufen ∗∗∗ --------------------------------------------- Aktuell geben sich Kriminelle wieder als Microsoft-MitarbeiterInnen aus und rufen beliebige Telefonnummern an. Angeblich gäbe es ein Problem mit Ihrem Computer. Dieses wollen die betrügerischen AnruferInnen nun mit Ihnen gemeinsam beheben. Legen Sie sofort auf, Kriminelle wollen sich Zugang auf Ihren Computer verschaffen und sensible Benutzerdaten abgreifen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-microso… ∗∗∗ Antivirus vendors push fixes for EFS ransomware attack method ∗∗∗ --------------------------------------------- Signature-based software may not be enough to protect Microsoft’s Windows EFS against evolving ransomware families. --------------------------------------------- https://www.zdnet.com/article/antivirus-vendors-scramble-to-fix-new-efs-ran… ===================== = Vulnerabilities = ===================== ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit one of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcements for CVE-2019-14902, CVE-2019-14907, and CVE-2019-19344 and apply the necessary updates and workarounds. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/01/21/samba-releases-sec… ∗∗∗ CVE-2019-19886 – HIGH – DoS against libModSecurity 3 ∗∗∗ --------------------------------------------- The ModSecurity 3.0.x release line suffers from a Denial of Service vulnerability after triggering a segmentation fault on the webserver when parsing a malformed cookie header. All users of ModSecurity 3.0.0 – 3.0.3 should update to ModSecurity 3.0.4 as soon as possible. --------------------------------------------- https://coreruleset.org/20200118/cve-2019-19886-high-dos-against-libmodsecu… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openconnect), Fedora (e2fsprogs, glibc, kernel, and nss), openSUSE (Mesa, php7, and slurm), Oracle (.NET Core, java-1.8.0-openjdk, java-11-openjdk, and thunderbird), Red Hat (java-1.8.0-openjdk, openvswitch, and openvswitch2.11), Scientific Linux (java-1.8.0-openjdk), SUSE (java-11-openjdk, libssh, libvpx, Mesa, and thunderbird), and Ubuntu (libbsd and samba). --------------------------------------------- https://lwn.net/Articles/810157/ ∗∗∗ Insufficient Authentication Vulnerability in OSCA Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200121-… ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0062 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0061 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2020
by Daily end-of-shift report 20 Jan '20

20 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-01-2020 18:00 − Montag 20-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Datenleck: Passwörter zu 515.000 Servern und IoT-Geräten veröffentlicht ∗∗∗ --------------------------------------------- Der Betreiber eines DDoS-Dienstes hat eine lange Liste mit Zugangsdaten und IP-Adressen von Servern, Routern und IoT-Geräten veröffentlicht. Die Daten könnten zum Aufbau eines Botnetzwerkes missbraucht werden - oder um die Geräte zu zerstören. --------------------------------------------- https://www.golem.de/news/datenleck-passwoerter-zu-515-000-servern-und-iot-… ∗∗∗ TLS: Netgear verteilt private Schlüssel in Firmware ∗∗∗ --------------------------------------------- Sicherheitsforscher haben private Schlüssel für TLS-Zertifikate veröffentlicht, die Netgear mit seiner Router-Firmware verteilt. Der Hersteller hatte nur wenige Tage Reaktionszeit. Die Forscher lehnen die Praktiken von Netgear prinzipiell ab, was zur Veröffentlichung geführt hat. --------------------------------------------- https://www.golem.de/news/tls-netgear-verteilt-private-schluessel-in-firmwa… ∗∗∗ Jetzt patchen! Erste Sicherheitsupdates für kritische Citrix-Lücke erschienen ∗∗∗ --------------------------------------------- Da Angreifer derzeit eine Lücke in Citrix ADC ausnutzen, sollten Admins die nun verfügbaren Patches umgehend installieren. --------------------------------------------- https://heise.de/-4641774 ∗∗∗ Business in the front, party in the back: backdoors in elastic servers expose private data ∗∗∗ --------------------------------------------- Its all too easy to discover data leaks online, especially in cloud services. We take a look at misconfigurations in elastic servers that lead to exposed data on the Internet. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2020/01/business-in-the-fron… ∗∗∗ Gefälschte A1-Mail greift Kreditkartendaten ab! ∗∗∗ --------------------------------------------- Unzählige KonsumentInnen wenden sich mit gefälschten A1-E-Mails an die Watchlist Internet. Angeblich sind bei der letzten Abrechnung 72,77 Euro zu viel abgebucht worden. Um das Geld zurückzuerhalten, soll ein Rückerstattungsantrag ausgefüllt werden. Betroffene dürfen das keinesfalls tun, denn sonst landen sämtliche Kreditkartendaten in den Händen Krimineller! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-a1-mail-greift-kreditkar… ===================== = Vulnerabilities = ===================== ∗∗∗ Internet Explorer: Zero-Day-Schwachstelle in JScript Scripting Engine ∗∗∗ --------------------------------------------- Im Internet Explorer steckt eine teils als kritisch eingestufte Schwachstelle, die Remote Code Execution erlaubt. Derzeit hilft dagegen nur ein Workaround. --------------------------------------------- https://heise.de/-4641331 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (git, java-11-openjdk, and thunderbird), Debian (cacti, chromium, gpac, kernel, openjdk-11, ruby-excon, and thunderbird), Fedora (chromium and rubygem-rack), Mageia (suricata, tigervnc, and wireshark), openSUSE (glusterfs, libredwg, and uftpd), and Ubuntu (linux-hwe and sysstat). --------------------------------------------- https://lwn.net/Articles/810070/ ∗∗∗ 2J SlideShow < 1.3.40 - Authenticated Arbitrary Plugin Deactivation ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10034 ∗∗∗ Security Advisory - Path Traversal Vulnerability in Huawei GaussDB ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200120-… ∗∗∗ Security Advisory - Command Injection Vulnerability in GaussDB 200 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200120-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200120-… ∗∗∗ HPESBST03977 rev.1 - HPE Command View Advanced Edition (CVAE), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2020
by Daily end-of-shift report 17 Jan '20

17 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-01-2020 18:00 − Freitag 17-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TrickBot Now Uses a Windows 10 UAC Bypass to Evade Detection ∗∗∗ --------------------------------------------- The TrickBot Trojan has received an update that adds a UAC bypass targeting the Windows 10 operating system so that it infects users without displaying any visible prompts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-… ∗∗∗ Dutch Govt Suggests Turning Off Citrix ADC Devices, Mitigations May Fail ∗∗∗ --------------------------------------------- Mitigation recommendations for CVE-2019-19781, a currently unpatched critical flaw affecting Citrix Application Delivery Controller (ADC) and Citrix Gateway, do not have the expected effect on all product versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dutch-govt-suggests-turning-… ∗∗∗ FTCODE Ransomware - New Version Includes Stealing Capabilities ∗∗∗ --------------------------------------------- Recently, the Zscaler ThreatLabZ team came across PowerShell-based ransomware called “FTCODE,” which targets Italian-language users. An earlier version of FTCODE ransomware was being downloaded using a document file that contained malicious macros. In the recent campaign, the ransomware is being downloaded using VBScript. --------------------------------------------- https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-inclu… ∗∗∗ 404 Exploit Not Found: Vigilante Deploying Mitigation for CitrixNetScaler Vulnerability While Maintaining Backdoor ∗∗∗ --------------------------------------------- As noted in Rough Patch: I Promise Itll Be 200 OK, our FireEye Mandiant Incident Response team has been hard at work responding to intrusions stemming from the exploitation of CVE-2019-19781. After analyzing dozens of successful exploitation attempts against Citrix ADCs that did not have the Citrix mitigation steps implemented, we’ve recognized multiple groups of post-exploitation activity. Within these, something caught our eye: one particular threat actor that’s been deploying a [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mit… ∗∗∗ Hinweise auf mögliche Verwundbarkeiten der Medizin-Telematik ∗∗∗ --------------------------------------------- Open-Source-Bibliotheken, die im Telematik-Konnektor von T-Systems zum Einsatz kommen, weisen hunderte bekannter Sicherheitslücken auf. --------------------------------------------- https://heise.de/-4635791 ∗∗∗ WeLeakInfo, the site which sold access to passwords stolen in data breaches, is brought down by the FBI ∗∗∗ --------------------------------------------- Law enforcement agencies have seized control of the domain of WeLeakInfo, a website offering cheap access to billions of personal credentials stolen from approximately 10,000 data breaches. --------------------------------------------- https://www.grahamcluley.com/weleakinfo-seized/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schneider Electric Modicon Controllers ∗∗∗ --------------------------------------------- This advisory contains mitigations for several improper check for unusual or exceptional conditions vulnerabilities in Schneider Electric Modicon PLC controllers. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-016-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium), Fedora (gnulib, ImageMagick, jetty, ocsinventory-agent, phpMyAdmin, python-django, rubygem-rmagick, thunderbird, and xar), Mageia (e2fsprogs, kernel, and libjpeg), openSUSE (icingaweb2), Oracle (git, java-11-openjdk, and thunderbird), Red Hat (.NET Core), Scientific Linux (git, java-11-openjdk, and thunderbird), SUSE (fontforge and LibreOffice), and Ubuntu (kamailio and thunderbird). --------------------------------------------- https://lwn.net/Articles/809916/ ∗∗∗ HPESBNS03981 rev.1 - HPE ViewPoint on NonStop, Local Disclosure of Sensitive Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBNS03976 rev.1 - HPE NonStop using Sudo ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Pivotal Spring Framework: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0057 ∗∗∗ Trend Micro Produkte: Mehrere Schwachstellen ermöglichen Erlangen von Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0055 ∗∗∗ Linux Kernel: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0058 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2020
by Daily end-of-shift report 16 Jan '20

16 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-01-2020 18:00 − Donnerstag 16-01-2020 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Office January Security Updates Fix Code Execution Bugs ∗∗∗ --------------------------------------------- Microsoft released the January 2019 Office security updates, bundling a total of seven security updates and three cumulative updates for five different products, six of them patching flaws allowing remote code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-office-january-sec… ∗∗∗ PoC Exploits Published For Microsoft Crypto Bug ∗∗∗ --------------------------------------------- Two proof-of-concept exploits were publicly released for the major Microsoft crypto-spoofing vulnerability. --------------------------------------------- https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/1519… ∗∗∗ CVE-2020-0601 Followup, (Wed, Jan 15th) ∗∗∗ --------------------------------------------- Among the patches Microsoft released yesterday, the vulnerability in the CryptoAPI got by far the most attention. Here are some answers to questions we have received about this vulnerability. Many of these questions also came from our webcast audience (for a recording, see https://sans.org/cryptoapi-isc ) Thanks to Jake Williams for helping us with the webcast! --------------------------------------------- https://isc.sans.edu/diary/rss/25714 ∗∗∗ What do Brit biz consultants and X-rated cam stars have in common? Wide open... AWS S3 buckets on public internet ∗∗∗ --------------------------------------------- Exposed: Intimate... personal details belonging to thousands of folks A pair of misconfigured cloud-hosted file silos have left thousands of peoples sensitive info sitting on the open internet. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/15/open_s3_… ∗∗∗ Analyzing Magecart Malware - From Zero to Hero ∗∗∗ --------------------------------------------- Javascript obfuscation is not a new trend, but it is widely used today to hide malware code in many websites. This post is for technical readers who want to understand Magecart’s common obfuscation pattern, and ways to decode it. --------------------------------------------- https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_her… ∗∗∗ Sicherheitsupdates: Lücken in VMware-Software bedrohen Android, iOS und Windows ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für VMware Tools und Workspace ONE SDK erschienen. --------------------------------------------- https://heise.de/-4639627 ∗∗∗ Key Cloud Security Challenges and Strategies to Overcome Them ∗∗∗ --------------------------------------------- The cloud has changed how we use and consume IT services. Where data resides along with how it is transferred, stored and processed has fundamentally changed and with-it new risk management challenges. Let’s talk about some of those challenges. First and foremost, the cat is out of the bag. We’re not going back to the [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/cloud/k… ∗∗∗ Unseriöse Angebote für die digitale Vignette ∗∗∗ --------------------------------------------- Wie jedes Jahr steht bei den meisten AutofahrerInnen mit dem Jahreswechsel der Kauf einer neuen Vignette an. Diese kann analog oder digital unter anderem bei der ASFINAG, dem ÖAMTC und dem ARBÖ erworben werden. Achtung: Auch unseriöse Angebote, bei denen das gesetzliche Widerrufsrecht unterschlagen wird und zusätzliche Kosten anfallen, sind im Internet zu finden. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-angebote-fuer-die-digital… ∗∗∗ Beware of this sneaky phishing technique now being used in more attacks ∗∗∗ --------------------------------------------- Security company researchers warn of a large increase in conversation-hijacking attacks. Heres what they are and how to spot them. --------------------------------------------- https://www.zdnet.com/article/beware-of-this-sneaky-phishing-technique-now-… ===================== = Vulnerabilities = ===================== ∗∗∗ OSIsoft PI Vision ∗∗∗ --------------------------------------------- This advisory contains mitigations for improper access control, cross-site request forgery, cross-site scripting, and inclusion of sensitive information vulnerabilities in OSIsofts PI Vision visualization tool. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-20-014-06 ∗∗∗ Radix - Moderately critical - Cross site scripting - SA-CONTRIB-2020-001 ∗∗∗ --------------------------------------------- Project: Radix Date: 2020-January-15 Security risk: Moderately critical 13∕25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All Vulnerability: Cross site scripting Description: Radix is a base theme for Drupal, with Bootstrap 4, Sass, ES6 and BrowserSync built-in. The module doesnt sufficiently filter menu titles when used in a dropdown in the main menu. This vulnerability is mitigated by the fact that an attacker must have permission to edit a menu title used in the main menu. --------------------------------------------- https://www.drupal.org/sa-contrib-2020-001 ∗∗∗ Easily Exploitable Vulnerabilities Patched in WP Database Reset Plugin ∗∗∗ --------------------------------------------- On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites. One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, [...] --------------------------------------------- https://www.wordfence.com/blog/2020/01/easily-exploitable-vulnerabilities-p… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-lan-config and phpmyadmin), openSUSE (openssl-1_1), Oracle (firefox and kernel), Red Hat (.NET Core, git, java-11-openjdk, and thunderbird), SUSE (Mesa, python3, shibboleth-sp, slurm, and tigervnc), and Ubuntu (libpcap and nginx). --------------------------------------------- https://lwn.net/Articles/809769/ ∗∗∗ HPESBGN03975 rev.1 - HPE enhanced Internet Usage Manager (eIUM), Remote Cross Site Scripting ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03978 rev.1 - HPE Superdome Flex Server, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Foxit Reader und Foxit Phantom PDF Suite: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0052 ∗∗∗ Wireshark: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0053 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.01.2020
by Daily end-of-shift report 15 Jan '20

15 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-01-2020 18:00 − Mittwoch 15-01-2020 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Patch Tuesday: Windows patzt bei Zertifikatsprüfung ∗∗∗ --------------------------------------------- Eine Lücke in der Zertifikatsvalidierung von Windows ermöglicht es, die Codesignaturprüfung auszutricksen und TLS-Verbindungen anzugreifen. Zudem gibt es eine Sicherheitslücke im Remote Desktop Gateway. --------------------------------------------- https://www.golem.de/news/patch-tuesday-windows-patzt-bei-zertifikatspruefu… ∗∗∗ CISA Releases Emergency Directive and Activity Alert on Critical Microsoft Vulnerabilities ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has released an Emergency Directive and Activity Alert addressing critical vulnerabilities affecting Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. A remote attacker could exploit these vulnerabilities to decrypt, modify, or inject data on user connections. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/01/14/cisa-releases-emer… ∗∗∗ Critical Cisco DCNM flaws: Patch right now as PoC exploits are released ∗∗∗ --------------------------------------------- The need to patch Cisco Data Center Network Manager for Nexus switches becomes even more urgent. --------------------------------------------- https://www.zdnet.com/article/critical-cisco-dcnm-flaws-patch-right-now-as-… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - January 2020 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 334 new security patches across the product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2020.html ∗∗∗ Huawei Security Advisories ∗∗∗ --------------------------------------------- * Intel Microarchitectural Data Sampling (MDS) vulnerabilities * Three OpenSSL Vulnerabilities in Huawei Products * Page-Cache Side-Channel Vulnerability * Three DoS Vulnerabilities in the SIP Module of Some Huawei Products * Information Leakage Vulnerability in some Huawei Firewall Product * Buffer Overflow Vulnerability in QEMU-KVM * FRP Bypass Vulnerability in Huawei Smart Phones * Insufficient Authentication Vulnerability in Some Huawei Smart Phones * Improper Authentication Vulnerability in Smartphones * FragmentSmack Vulnerability in Linux Kernel * Two Integer Overflow Vulnerabilities in LDAP of Some Huawei Products --------------------------------------------- https://www.huawei.com/en/psirt/all-bulletins?name=security-advisories&year… ∗∗∗ Sicherheitsupdates: Intel-Lücken zur Rechteausweitung geschlossen ∗∗∗ --------------------------------------------- Intels Entwickler haben gefährliche Lücken in unter anderem Chip-/CPU-Software und VTune geschlossen. --------------------------------------------- https://heise.de/-4638307 ∗∗∗ VMSA-2020-0002 ∗∗∗ --------------------------------------------- VMware Tools workaround addresses a local privilege escalation vulnerability (CVE-2020-3941) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0002.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (thunderbird), CentOS (firefox), openSUSE (chromium, firefox, GraphicsMagick, log4j, nodejs8, phpMyAdmin, singularity, and virglrenderer), Oracle (kernel), Red Hat (firefox), SUSE (man, nodejs10, openssl-1_1, and php7), and Ubuntu (php5, php7.0, php7.2, php7.3 and spamassassin). --------------------------------------------- https://lwn.net/Articles/809624/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.01.2020
by Daily end-of-shift report 14 Jan '20

14 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Montag 13-01-2020 18:00 − Dienstag 14-01-2020 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 7 Reaches End of Life Tomorrow, What You Need to Know ∗∗∗ --------------------------------------------- Its the end of an era: Windows 7 will reach end of support tomorrow, on January 14, a decade after its initial release, with Microsoft to no longer provide users with software updates and security updates or fixes. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-7-reaches-end-of-li… ∗∗∗ Shitrix: Das Citrix-Desaster ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Geräten der Firma Citrix zeigt in erschreckender Weise, wie schlecht es um die IT-Sicherheit in Behörden steht. Es fehlt an den absoluten Grundlagen. --------------------------------------------- https://www.golem.de/news/shitrix-das-citrix-desaster-2001-146047-rss.html ∗∗∗ Malware Obfuscation, Encoding and Encryption ∗∗∗ --------------------------------------------- Malware is complex and meant to confuse. Many computer users think malware is just another word for “virus” when a virus is actually a type of malware. And in addition to viruses, malware includes all sorts of malicious and unwanted code, including spyware, adware, Trojans and worms. Malware has been known to shut down [...] --------------------------------------------- https://resources.infosecinstitute.com/malware-obfuscation-encoding-and-enc… ∗∗∗ CISA Releases Test for Citrix ADC and Gateway Vulnerability ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has released a utility that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability. According to Citrix Security Bulletin CTX267027, beginning on January 20, 2020, Citrix will be releasing new versions of Citrix ADC and Citrix Gateway that will patch CVE-2019-19781. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test… ∗∗∗ Mehrwertdienste von Drittanbietern auf Ihrer Handyrechnung sind meist Abo-Fallen ∗∗∗ --------------------------------------------- Eine Handyrechnung, die höher ausfällt als gewohnt, bedeutet meist nichts Gutes. Oftmals finden Sie Abbuchungen von Drittanbietern, Mehrwert- oder Partnerdiensten auf Ihrer Rechnung. Sie haben wahrscheinlich unwissentlich bei einem unseriösen Anbieter einen Abo-Vertrag abgeschlossen. Ihr Geld ist höchstwahrscheinlich jedoch nicht verloren: Sie können die Rechnung beim Mobilfunkanbieter beanstanden! --------------------------------------------- https://www.watchlist-internet.at/news/mehrwertdienste-von-drittanbietern-a… ∗∗∗ Microsoft spots malicious npm package stealing data from UNIX systems ∗∗∗ --------------------------------------------- Malicious JavaScript package was only active on the npm repository for two weeks. --------------------------------------------- https://www.zdnet.com/article/microsoft-spots-malicious-npm-package-stealin… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Experience Manager (APSB20-01) and Adobe Illustrator (APSB20-03). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided “AS IS” with no warranties and confers no rights. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1820 ∗∗∗ XSA-312 - arm: a CPU may speculate past the ERET instruction ∗∗∗ --------------------------------------------- Some CPUs can speculate past an ERET instruction and potentially perform speculative accesses to memory before processing the exception return. Since the register state is often controlled by lower privilege level (i.e guest kernel/userspace) at the point of the ERET, this could potentially be used as part of a side-channel attack. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-312.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (wordpress and xen), Mageia (graphicsmagick, kernel, makepasswd, and unbound), openSUSE (containerd, docker, docker-runc,, dia, ffmpeg-4, libgcrypt, php7-imagick, proftpd, rubygem-excon, shibboleth-sp, tomcat, trousers, and xen), Oracle (firefox), Red Hat (kernel), Scientific Linux (firefox), SUSE (e2fsprogs, kernel, and libsolv, libzypp, zypper), and Ubuntu (libgcrypt20, libvirt, nginx, sdl-image1.2, and spamassassin). --------------------------------------------- https://lwn.net/Articles/809506/ ∗∗∗ SAP Security Patch Day – January 2020 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape. On 14th of January 2020, SAP Security Patch Day saw the release of 6 Security Notes. There are 1 updates to previously released Patch Day [...] --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=533671771 ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ BIG-IP engineering hotfix TMM vulnerability CVE-2020-5852 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53590702 ∗∗∗ BIG-IP APM Portal Access vulnerability CVE-2020-5853 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73183618 ∗∗∗ BIG-IP engineering hotfix Trusted Platform Module vulnerability CVE-2020-5851 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91171450 ∗∗∗ Critical Authentication Bypass Vulnerability in InfiniteWP Client Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2020/01/critical-authentication-bypass-vulne… ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2020
by Daily end-of-shift report 13 Jan '20

13 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-01-2020 18:00 − Montag 13-01-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Citrix CVE-2019-19781 aktiv ausgenutzt ∗∗∗ --------------------------------------------- Ende 2019 wurde eine Sicherheitslücke in diversen Citrix-Geräten bekannt (CVE-2019-19781), die das Ausführen beliebiger Befehle über das Netzwerk ohne jegliche Authentifikation ermöglicht (unauthenticated RCE). Am 10. Jänner 2020 wurde der erste Exploit für diese Lücke auf GitHub veröffentlicht und sie wird (spätestens) seit diesem Zeitpunkt aktiv ausgenutzt. --------------------------------------------- https://cert.at/de/blog/2020/1/citrix-cve-2019-19781-aktiv-ausgenutzt ∗∗∗ Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark ∗∗∗ --------------------------------------------- The Internet Protocol (IP) is the most widely-used network-level protocol. Common transport-level protocols, the Transport Control Protocol (TCP) and the User Datagram Protocol (UDP), are encapsulated within IP packets. The purpose of IP is to make networks like the internet possible. Within a subnet, it is possible to route traffic [...] --------------------------------------------- https://resources.infosecinstitute.com/network-traffic-analysis-for-inciden… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (file and firefox), Debian (apache-log4j1.2), Fedora (chromium, dovecot, GraphicsMagick, kubernetes, libvpx, makepasswd, matio, and slurm), Mageia (libtomcrypt, ming, oniguruma, opencv, pcsc-lite, phpmyadmin, and thunderbird), openSUSE (chromium, chromium, re2, and mozilla-nspr, mozilla-nss), Red Hat (chromium-browser, firefox, and rabbitmq-server), Slackware (mozilla), and SUSE (crowbar-core, crowbar-openstack, [...] --------------------------------------------- https://lwn.net/Articles/809312/ ∗∗∗ Security Advisory - Weak Algorithm Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200108-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 68.4.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2020
by Daily end-of-shift report 10 Jan '20

10 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-01-2020 18:00 − Freitag 10-01-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641 ∗∗∗ --------------------------------------------- This is the first blog post in a three-part series that will detail how a vulnerability in iMessage can be exploited remotely without any user interaction on iOS 12.4 (fixed in iOS 12.4.1 in August 2019). It is essentially a more detailed version of my 36C3 talk from December 2019. --------------------------------------------- https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-p… ∗∗∗ Windows Debugging & Exploiting Part 3: WinDBG Time Travel Debugging ∗∗∗ --------------------------------------------- Time to start 2020? No better time for writing about the TTD (Time Travel Debugging) feature from WinDBG. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/windows-deb… ===================== = Vulnerabilities = ===================== ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- Betroffene Systeme: D-LINK Router DCS-935L, D-LINK Router DCS-960L Ein entfernter, anonymer Angreifer kann eine Schwachstelle in D-LINK Routern ausnutzen, um die Kontrolle über das Gerät zu übernehmen. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/01/warn… ∗∗∗ VMSA-2020-0001 - VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability (CVE-2020-3940) ∗∗∗ --------------------------------------------- VMware Workspace ONE SDK and dependent mobile applications do not properly handle certificate verification failures if SSL Pinning has been enabled in the Workspace ONE UEM Console. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.8. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2020-0001.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldm and sa-exim), Mageia (firefox), openSUSE (chromium, firefox, and thunderbird), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, firefox, log4j, nodejs10, nodejs12, and openssl-1_0_0), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/809175/ ∗∗∗ Mattermost security update 5.18.1 / 5.17.3 / 5.16.5 / 5.9.8 (ESR) released ∗∗∗ --------------------------------------------- We have released a recommended security update via Mattermost Team Edition 5.18.1, 5.17.3, 5.16.5, 5.9.8 (ESR) and Mattermost Enterprise Edition 5.18.1, 5.17.3, 5.16.5, 5.9.8 (ESR). This security update addresses a high level vulnerability discovered during a security research review by Juho Nurminen. --------------------------------------------- https://mattermost.com/blog/mattermost-security-update-5-18-1-5-17-3-5-16-5… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2020
by Daily end-of-shift report 09 Jan '20

09 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-01-2020 18:00 − Donnerstag 09-01-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SNAKE Ransomware Is the Next Threat Targeting Business Networks ∗∗∗ --------------------------------------------- Since network administrators didnt already have enough on their plate, they now have to worry about a new ransomware called SNAKE that is targeting their networks and aiming to encrypt all of the devices connected to it [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next… ∗∗∗ A tale of a lesser known NFS privesc ∗∗∗ --------------------------------------------- There are countless online examples of privilege escalation abusing bad NFS configuration. However they all rely on the same prerequisite: that you are able to mount the share from somewhere else. ... But it just so happens that there is another, lesser known local exploit. --------------------------------------------- https://www.errno.fr/nfs_privesc ∗∗∗ What is the Linux Auditing System (aka AuditD)? ∗∗∗ --------------------------------------------- The Linux Auditing System is a native feature to the Linux kernel that collects certain types of system activity to facilitate incident investigation. ... Our goal is to present a neutral overview of the Linux Auditing System so anyone considering implementing it in their own organization knows what to consider before embarking on their quest and what challenges may lurk ahead. --------------------------------------------- https://capsule8.com/blog/auditd-what-is-the-linux-auditing-system/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schnell updaten: Sicherheitslücke in Firefox wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Firefox hat mit Version 72.0.1 ein wichtiges Sicherheitsupdate herausgegeben. Geschlossen wird eine Sicherheitslücke, die bereits aktiv ausgenutzt wird. Gemeldet wurde sie von einer chinesischen Sicherheitsfirma. (Firefox, Browser) --------------------------------------------- https://www.golem.de/news/schnell-updaten-sicherheitsluecke-in-firefox-wird… ∗∗∗ What is Cable Haunt? ∗∗∗ --------------------------------------------- Cable Haunt is a critical vulnerability found in cable modems from various manufacturers across the world. ... First, access to the vulnerable endpoint is gained through a client on the local network, such as a browser. Secondly the vulnerable endpoint is hit with a buffer overflow attack, which gives the attacker control of the modem. .. list of confirmed vulnerable modems: Sagemcom F@st 3890/3986, Technicolor TC7230, Netgear C6250EMR/CG3700EMR, COMPAL 7284E/7486E --------------------------------------------- https://cablehaunt.com/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox), Oracle (kernel), Slackware (firefox and kernel), SUSE (apache2-mod_perl, git, java-1_7_0-ibm, java-1_7_1-ibm, log4j, mariadb, and nodejs8), and Ubuntu (gnutls28, graphicsmagick, and nss). --------------------------------------------- https://lwn.net/Articles/809074/ ∗∗∗ CVE-2020-6175 - Citrix SD-WAN Security Update ∗∗∗ --------------------------------------------- An information disclosure vulnerability has been identified in the Citrix SD-WAN Appliance. This vulnerability could allow an unauthenticated attacker to perform a man-in-the-middle attack against management traffic. The vulnerability has been assigned the following CVE number. CVE-2020-6175 – Information Disclosure in Citrix SD-WAN Appliance 10.2.x before 10.2.6 and 11.0.x before 11.0.3 --------------------------------------------- https://support.citrix.com/article/CTX263526 ∗∗∗ JSA10979 - 2020-01 Security Bulletin: Junos OS: A specific SNMP command can trigger a high CPU usage Denial of Service in the RPD daemon. (CVE-2020-1600) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10979&actp=RSS ∗∗∗ JSA10980 - 2020-01 Security Bulletin: Junos OS: Upon receipt of certain types of malformed PCEP packets the pccd process may crash. (CVE-2020-1601) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10980&actp=RSS ∗∗∗ JSA10982 - 2020-01 Security Bulletin: Junos OS: Improper handling of specific IPv6 packets sent by clients may cause client devices IPv6 traffic to be black holed, and eventually kernel crash (vmcore) the device. (CVE-2020-1603) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10982&actp=RSS ∗∗∗ JSA10981 - 2020-01 Security Bulletin: Junos OS and Junos OS Evolved: Multiple vulnerabilities in JDHCPD allow for OS command injection and code execution of JDHCPD. ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10981&actp=RSS ∗∗∗ JSA10983 - 2020-01 Security Bulletin: Junos OS: EX4300/EX4600/QFX3500/QFX5100 Series: Stateless IP firewall filter may fail to evaluate certain packets (CVE-2020-1604) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10983&actp=RSS ∗∗∗ JSA10985 - 2020-01 Security Bulletin: Junos OS: Path traversal vulnerability in J-Web (CVE-2020-1606) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10985&actp=RSS ∗∗∗ JSA10986 - 2020-01 Security Bulletin: Junos OS: Cross-Site Scripting (XSS) in J-Web (CVE-2020-1607) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10986&actp=RSS ∗∗∗ JSA10987 - 2020-01 Security Bulletin: Junos OS: MX Series: In BBE configurations, receipt of a specific MPLS or IPv6 packet causes a Denial of Service (CVE-2020-1608) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10987&actp=RSS ∗∗∗ JSA10990 - 2020-01 Security Bulletin: SBR Carrier: Multiple Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10990&actp=RSS ∗∗∗ JSA10991 - 2020-01 Security Bulletin: SBR Carrier: Multiple Vulnerabilities in Net-SNMP ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10991&actp=RSS -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.01.2020
by Daily end-of-shift report 08 Jan '20

08 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-01-2020 18:00 − Mittwoch 08-01-2020 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Project Zero: Googles Bug-Jäger wollen weniger schludrige Patches ∗∗∗ --------------------------------------------- Im laufenden Jahr wollen Googles Security-Bug-Forscher des Project Zero die Disclosure-Richtlinien ändern. Das soll betroffenen Unternehmen nicht nur Updates erleichtern, sondern vor allem die Qualität der Patches verbessern. --------------------------------------------- https://www.golem.de/news/project-zero-googles-bug-jaeger-wollen-weniger-sc… ∗∗∗ The Basics of Packed Malware: Manually Unpacking UPX Executables ∗∗∗ --------------------------------------------- In this blog post, I want to discuss what packing is, the basics of why malware developers pack their samples and how they go about doing so. Since this is an introductory post, and I myself am still learning all this stuff, we’re going to be manually unpacking a UPX-packed binary, which is one of the simplest packers out there. --------------------------------------------- https://kindredsec.com/2020/01/07/the-basics-of-packed-malware-manually-unp… ∗∗∗ Tricky Phish Angles for Persistence, Not Passwords ∗∗∗ --------------------------------------------- The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password. --------------------------------------------- https://krebsonsecurity.com/2020/01/tricky-phish-angles-for-persistence-not… ∗∗∗ SMS von TrackInfo zu gestopptem DHL-Paket führt in Abo-Falle ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen wenden sich momentan an die Watchlist Internet, weil sie eine SMS von TrackInfo zu einem unzustellbaren Paket erhalten haben. Ein Link in der Nachricht führt auf eine gefälschte DHL-Website. Wegen zu hohen Gewichts müssten nun 2 Euro bezahlt werden. Achtung: Die Nachricht stammt von Kriminellen und soll EmpfängerInnen in eine Abo-Falle locken! --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-trackinfo-zu-gestopptem-dhl-… ===================== = Vulnerabilities = ===================== ∗∗∗ Interpeak IPnet TCP/IP Stack (Update D) ∗∗∗ --------------------------------------------- This updated medical advisory is a follow-up to the advisory update titled ICSMA-19-274-01 Interpeak IPnet TCP/IP Stack (Update C) published November 5, 2019, on the ICS webpage on us-cert.gov. This updated medical advisory contains mitigations for stack-based buffer overflow, heap-based buffer overflow, integer underflow, improper restriction of operations within the bounds of a memory buffer, race condition, argument injection, and null pointer dereference vulnerabilities in the Interpeak [...] --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsma-19-274-01 ∗∗∗ PMASA-2020-1 ∗∗∗ --------------------------------------------- SQL injection in user accounts pageAffected VersionsphpMyAdmin 4.x versions prior to 4.9.4 are affected, at least as old as 4.0.0. phpMyAdmin 5.x version 5.0.0 is affected.CVE IDCVE-2020-5504 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2020-1/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox), Debian (python-django and wordpress), Fedora (dovecot), Mageia (opensc, radare2, and varnish), Red Hat (rh-java-common-apache-commons-beanutils), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, java-1_8_0-ibm, java-1_8_0-openjdk, libzypp, openssl-1_0_0, sysstat, and tomcat), and Ubuntu (clamav, linux-azure, and linux-lts-xenial, linux-aws). --------------------------------------------- https://lwn.net/Articles/808975/ ∗∗∗ Fortinet FortiSIEM 5.2.5 / 5.2.6 Hardcoded Key ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2020010061 ∗∗∗ Cisco AnyConnect Secure Mobility Client for Android Service Hijack Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Video Mesh Node Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Centers Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Vision Dynamic Signage Director Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco UCS Director Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Mobility Management Entity Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Authorization Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Emergency Responder Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Data Center Analytics Framework Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Unified Customer Voice Portal Insecure Direct Object Reference Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Crosswork Change Automation Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Weak Algorithm Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200108-… ∗∗∗ Security Advisory - Information Leak Vulnerability in Some Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200108-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200108-… ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200108-… ∗∗∗ January 6, 2020 TNS-2020-01 [R1] SimpleSAMLPHP Stand-alone Patch Available for Tenable.sc versions 5.9.x to 5.12.x ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2020-01-0 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.01.2020
by Daily end-of-shift report 07 Jan '20

07 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-01-2020 18:00 − Dienstag 07-01-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗ --------------------------------------------- Für ein internationales Projekt suchen wir eine/n erfahrene/n Pythonentwickler/in (Vollzeit) zum ehestmöglichen Einstieg. Details finden sich auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/ueber-uns/jobs/ ∗∗∗ Fake Windows 10 Desktop Used in New Police Browser Lock Scam ∗∗∗ --------------------------------------------- Scammers have taken an old browser scam and invigorated it using a clever and new tactic that takes advantage of your web browsers full-screen mode to show a fake Windows 10 desktop stating your computer is locked. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-windows-10-desktop-used… ∗∗∗ Android-Schadsoftware: Die Tricks mit der Google-Sicherheitslücke ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Schad-Apps im Play Store gefunden, die über eine Google lange bekannte Android-Sicherheitslücke und weitere Tricks Nutzer ausspionierten. Die im Oktober aktiv ausgenutzte Lücke hatte Google eineinhalb Jahre vorher selbst entdeckt. --------------------------------------------- https://www.golem.de/news/android-schadsoftware-die-tricks-mit-der-google-s… ∗∗∗ A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability), (Tue, Jan 7th) ∗∗∗ --------------------------------------------- For the last week, I have been monitoring our honeypot logs for evidence of exploits taking advantage of CVE-2019-19781. Currently, I have not seen an actual "exploit" being used. But there is some evidence that people are scanning for vulnerable systems. Based on some of the errors made with these scans, I would not consider them "sophisticated." There is luckily still no public exploit I am aware of. --------------------------------------------- https://isc.sans.edu/diary/rss/25686 ∗∗∗ The Hidden Cost of Ransomware: Wholesale Password Theft ∗∗∗ --------------------------------------------- Moral of the story: Companies that experience a ransomware attack — or for that matter any type of equally invasive malware infestation — should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed. --------------------------------------------- https://krebsonsecurity.com/2020/01/the-hidden-cost-of-ransomware-wholesale… ∗∗∗ Breaking PHPs mt_rand() with 2 values and no bruteforce ∗∗∗ --------------------------------------------- .. one of our researchers was adamant that it was possible to recover the Mersenne Twister seed using only two outputs of the mt_rand() function, and without any kind of bruteforce. Nevertheless, we were unable to find any information supporting this theory, and his notes on the matter were long lost. After crunching the numbers a little bit, and years after the PRNG-prediction circus, we proved him right. --------------------------------------------- https://www.ambionics.io/blog/php-mt-rand-prediction ∗∗∗ SSH Client Auditing & Hardening ∗∗∗ --------------------------------------------- Its been known for years now that SSH servers can (and should) be hardened by removing weak default algorithms. For example, recent versions of OpenSSH ship with algorithms suspected suspected of being back-doored by the NSA (i.e.: ECDSA with the NIST P-curves), along with other algorithms with sub-128bit security levels. But did you know that client software can be hardened too? --------------------------------------------- https://www.positronsecurity.com/blog/2020-01-07-ssh-client-auditing-and-ha… ∗∗∗ SSH Pentesting Guide ∗∗∗ --------------------------------------------- In this guide, I will: * Quickly introduce the SSH protocol and implementations. * Expose some common configuration mistakes then showcase some attacks on the protocol & implementations. * Present some SSH pentesting & blue team tools. * Give a standard reference for security guidelines --------------------------------------------- https://community.turgensec.com/ssh-hacking-guide/ ∗∗∗ First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust [PDF] ∗∗∗ --------------------------------------------- In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1.. --------------------------------------------- https://eprint.iacr.org/2020/014.pdf ∗∗∗ Jetzt patchen! Ransomware-Attacken auf VPN-Server mit Pulse Connect Secure ∗∗∗ --------------------------------------------- Erneut nehmen Angreifer VPN-Server mit Pulse Connect Secure ins Visier und nutzen eine kritische Sicherheitslücke aus. Ein Patch ist schon länger verfügbar. --------------------------------------------- https://heise.de/-4629452 ∗∗∗ Versteckte Kosten bei Übernachtungsgutscheinen von Geoplus ∗∗∗ --------------------------------------------- Wie zahlreiche InternetnutzerInnen erhalten Sie womöglich E-Mails von Geoplus, in denen Sie zur Teilnahme an einer europäischen Studie eingeladen werden. Dafür verspricht man Ihnen einen Gutschein für bis zu fünf kostenlose Übernachtungen in über 500 Hotels in 14 Ländern. Achtung: Von „kostenlos“ kann nicht die Rede sein, denn beim Einlösen der Gutscheine müssen Sie Zahlung von Pflichtverpflegungssätzen leisten. --------------------------------------------- https://www.watchlist-internet.at/news/versteckte-kosten-bei-uebernachtungs… ∗∗∗ What is the random oracle model and why should you care? (Part 5) ∗∗∗ --------------------------------------------- This is part five of a series on the Random Oracle Model. See here for the previous posts: Part 1: An introduction Part 2: The ROM formalized, a scheme and a proof sketch Part 3: How we abuse the ROM to make our security proofs work Part 4: Some more examples of where the ROM … Continue reading What is the random oracle model and why should you care? (Part 5) → --------------------------------------------- https://blog.cryptographyengineering.com/2020/01/05/what-is-the-random-orac… ∗∗∗ Half of the websites using WebAssembly use it for malicious purposes ∗∗∗ --------------------------------------------- In an academic research project that was carried out last year, four researchers from the Technical University in Braunschweig, Germany, looked at WebAssembly's use on the Alexa Top 1 Million popular sites on the internet, in an attempt to gauge the popularity of this new technology. --------------------------------------------- https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it… ===================== = Vulnerabilities = ===================== ∗∗∗ Android Security Bulletin—January 2020 ∗∗∗ --------------------------------------------- The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2020-01-01.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (netty) and Fedora (libssh, nethack, php, samba, and xen). --------------------------------------------- https://lwn.net/Articles/808621/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, cyrus-imapd, drupal7-l10n_update, drupal7-webform, htmldoc, nethack, php, and singularity), Mageia (advancecomp, apache-commons-compress-, cyrus-imapd, cyrus-sasl, dia, freeimage, freeradius, igraph, jhead, jss, libdwarf, libextractor, libxml2, mediawiki, memcached, mozjs60, openconnect, openssl, putty, python-ecdsa, python-werkzeug, shadowsocks-libev, and upx), Oracle (container-tools:1.0 and container-tools:ol8), and Red Hat --------------------------------------------- https://lwn.net/Articles/808803/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nss and pillow), Red Hat (java-1.8.0-ibm and kernel), Slackware (firefox), SUSE (virglrenderer), and Ubuntu (linux, linux-aws, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-kvm, linux-oracle, linux-raspi2, and linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/808881/ ∗∗∗ Security Vulnerabilities fixed in Firefox 72 ∗∗∗ --------------------------------------------- Severity: high CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting CVE-2019-17017: Type Confusion in XPCVariant.cpp --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Liberty affect IBM WIoTP MessageGateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services for Multi-Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Financial Transaction Manager for Check Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Check Services for Multi-Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Security Vulnerabilties have been addressed in IBM Cognos Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilties-h… ∗∗∗ Security Bulletin: Information Exposure vulnerability found on IBM Security Secret Server (CVE-2019-4634) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-exposure-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2020
by Daily end-of-shift report 03 Jan '20

03 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-01-2020 18:00 − Freitag 03-01-2020 18:00 Handler: Robert Waldner Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Promiscuous Cookies and Their Impending Death via the SameSite Policy ∗∗∗ --------------------------------------------- Cookies like to get around. They have no scruples about where they go save for some basic constraints relating to the origin from which they were set. I mean have a think about it:If a website sets a cookie then you click a link to another page on that [...] --------------------------------------------- https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-… ∗∗∗ Gefälschte E-Mail zu Amazon-Bestellung ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit E-Mails zu einer angeblichen Amazon-Bestellung. In der Mail wird darauf hingewiesen, dass eine Bestellung von einem bisher nicht benutzten Gerät aus getätigt wurde. Im Anhang findet man ein PDF mit Infos zur angeblichen Bestellung und der Möglichkeit, die Bestellung zu stornieren. Wer das tut, gibt seine Amazon-Zugangsdaten an Kriminelle weiter! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-e-mail-zu-amazon-bestell… ===================== = Vulnerabilities = ===================== ∗∗∗ Workaround verfügbar: Kritische Lücke in Citrix ADC und Gateway ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit Citrix ADC und Gateway attackieren und Schadcode ausführen. Patches sind bislang nicht erschienen. --------------------------------------------- https://heise.de/-4627525 ∗∗∗ Vulnerability Spotlight: Two buffer overflow vulnerabilities in OpenCV ∗∗∗ --------------------------------------------- Cisco Talos recently discovered two buffer overflow vulnerabilities in the OpenCV libraries. An attacker could potentially exploit these bugs to cause heap corruptions and potentially code execution. Intel Research originally developed OpenCV in 1999, but it is currently maintained by the non-profit organization OpenCV.org. OpenCV is used for numerous applications, including facial recognition technology, robotics, motion tracking [...] --------------------------------------------- https://blog.talosintelligence.com/2020/01/opencv-buffer-overflow-jan-2020.… ∗∗∗ WooCommerce Conversion Tracking < 2.0.6 - CSRF to XSS ∗∗∗ --------------------------------------------- https://wpvulndb.com/vulnerabilities/10001 ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – OpenSSL (CVE-2019-1563, CVE-2019-1549, CVE-2019-1547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-ID: CVE-2019-11244) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Tivoli Storage Manager FastBack (CVE-2019-2816) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabities in SSL in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabities-in-ssl-in-i… ∗∗∗ Security Bulletin: IBM DataPower Gateway is potentially vulnerable to two cryptographic side-channel vulnerabilities in SSL. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-is-… ∗∗∗ Security Bulletin: Potential side-channel cryptographic vulnerabilities in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-side-channel-cr… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private Cloud Foundry – Python (CVE-2019-9947, CVE-2019-9948) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Potential disclosure of information in IBM DataPower Gateway (CVE-2018-14348) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-disclosure-of-i… ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K20-0002 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2020
by Daily end-of-shift report 02 Jan '20

02 Jan '20

===================== = End-of-Day report = ===================== Timeframe: Montag 30-12-2019 18:00 − Donnerstag 02-01-2020 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware in Node.js, (Thu, Jan 2nd) ∗∗∗ --------------------------------------------- Here is a sample that I spotted two days ago. Its an interesting one because its a malware that implements ransomware features developed in Node.js! The stage one is not obfuscated and I suspect the script to be a prototype or a test... --------------------------------------------- https://isc.sans.edu/diary/rss/25664 ∗∗∗ The Anatomy of Website Malware Part 2: Credit Card Stealers ∗∗∗ --------------------------------------------- One of the biggest malicious trends in the last few months and years are credit card stealers — also commonly referred to as credit card skimmers or cc stealers . In the second part of this Website Malware Anatomy series, I’m going to deconstruct several skimmers and show you what they look like, where they are hiding, and how they work. --------------------------------------------- https://blog.sucuri.net/2019/12/the-anatomy-of-website-malware-part-2-credi… ∗∗∗ Kaufen Sie keine Welpen auf realpuppieshome.com ∗∗∗ --------------------------------------------- Auf realpuppieshome.com werden Ihnen zahlreiche entzückende Zuchtwelpen angezeigt und zur Adoption angeboten. Die aufwendig gestaltete Website täuscht dabei ein seriöses Angebot vor. Doch nehmen Sie sich in Acht: Hier erhalten Sie das gewünschte Hundejunge nie. Stattdessen verlieren Sie Ihr Geld an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-welpen-auf-realpupp… ===================== = Vulnerabilities = ===================== ∗∗∗ December 30, 2019 TNS-2019-09 [R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities ∗∗∗ --------------------------------------------- Three separate third-party components (OpenSSL, Apache HTTP Server, SimpleSAMLphp) were found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with good practice, Tenable opted to upgrade the bundled libraries to address the potential impact of these issues in Tenable.sc. --------------------------------------------- http://www.tenable.com/security/tns-2019-09 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode and libbsd), openSUSE (chromium, LibreOffice, and spectre-meltdown-checker), and SUSE (mozilla-nspr, mozilla-nss and python-azure-agent). --------------------------------------------- https://lwn.net/Articles/808319/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (igraph, jhead, libgcrypt20, otrs2, and waitress) and Mageia (clamaw, exiv2, filezilla, hunspell, libidn2, pdfresurrect, roundcubemail, and xpdf). --------------------------------------------- https://lwn.net/Articles/808395/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (chromium-browser and rh-git218-git) and SUSE (java-1_8_0-ibm and openssl-1_1). --------------------------------------------- https://lwn.net/Articles/808488/ ∗∗∗ Cisco Data Center Network Manager Authentication Bypass Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Data Center Network Manager XML External Entity Read Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Data Center Network Manager JBoss EAP Unauthorized Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Data Center Network Manager SQL Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Data Center Network Manager Path Traversal Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Data Center Network Manager Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Missing Integrity Checking Vulnerability on Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-… ∗∗∗ Security Advisory - Information Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191030-… ∗∗∗ Security Advisory - Improper Credentials Management Vulnerability in Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200102-… ∗∗∗ Security Advisory - Information Leak Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200102-… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Several Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200102-… ∗∗∗ Security Advisory - Buffer Error Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200102-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Privileged Identity Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Swagger UI (CVE-2019-17495) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private Kubernetes (CVE-2019-11245) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to IBM WebSphere Application Server Liberty vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2014-3603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-12402) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: A Security Vulnerability affects Cloud Foundry for IBM Cloud Private (CVE-2019-16935) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.12.2019
by Daily end-of-shift report 30 Dec '19

30 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-12-2019 18:00 − Montag 30-12-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Lesser-known Tools for Android Application PenTesting ∗∗∗ --------------------------------------------- Over time, I became familiar with the different tools, popular or not, that helped me in my assessments. In this post, I’ll list down these not-so-popular tools (in my opinion based on the different sources and blogs that I have read where these tools were not mentioned) that I’m using during my engagements. --------------------------------------------- https://captmeelo.com/pentest/2019/12/30/lesser-known-tools-for-android-pen… ∗∗∗ 36C3: Vertraue keinem Bluetooth-Gerät – schon gar nicht im vernetzten Auto ∗∗∗ --------------------------------------------- Bei Chips zur drahtlosen Datenübertragung etwa via Bluetooth gibt es massive Sicherheitslücken. Bei geteilten Antennen lässt sich etwa WLAN ausknipsen. --------------------------------------------- https://heise.de/-4624388 ===================== = Vulnerabilities = ===================== ∗∗∗ Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Trend Micro AntiVirus ist eine Anti-Viren-Software. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/12/warn… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by SUSE (dia, kernel, and libgcrypt). --------------------------------------------- https://lwn.net/Articles/808135/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-lan-config, freeimage, imagemagick, libxml2, mediawiki, openssl1.0, php5, and tomcat8). --------------------------------------------- https://lwn.net/Articles/808234/ ∗∗∗ Intel SPS vulnerability CVE-2019-11109 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54164678 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2019
by Daily end-of-shift report 27 Dec '19

27 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Montag 23-12-2019 18:00 − Freitag 27-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Timely acquisition of network traffic evidence in the middle of an incident response procedure, (Wed, Dec 25th) ∗∗∗ --------------------------------------------- The acquisition of evidence is one of the procedures that always brings controversy in incident management. We must answer questions such as: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/25560 ∗∗∗ Bypassing UAC to Install a Cryptominer ∗∗∗ --------------------------------------------- First of all, Merry Christmas to all our readers! I hope youre enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and its most interesting feature is the use of a classic technique to bypass UAC[2]. --------------------------------------------- https://isc.sans.edu/forums/diary/Bypassing+UAC+to+Install+a+Cryptominer/25… ∗∗∗ Video: Identitätsdiebstahl mit gefälschten Airbnb-Mails ∗∗∗ --------------------------------------------- Airbnb genießt hohes Vertrauen bei seinen UserInnen. Das versuchen sich auch Kriminelle zu Nutze zu machen. Sie versenden betrügerische Phishing-Mails im Design von Airbnb. --------------------------------------------- https://www.watchlist-internet.at/news/video-identitaetsdiebstahl-mit-gefae… ∗∗∗ Video: Erpressungs-Mails ∗∗∗ --------------------------------------------- Kriminelle versenden massenhaft Erpressungs-Mails an InternetnutzerInnen. Darin behaupten sie, die EmpfängerInnen der Nachrichten beim Masturbieren gefilmt zu haben. Um zu vermeiden, dass das Video veröffentlicht wird, sollen gewisse Geldbeträge in Form von Bitcoins bezahlt werden. --------------------------------------------- https://www.watchlist-internet.at/news/video-erpressungs-mails/ ===================== = Vulnerabilities = ===================== ∗∗∗ New Magellan 2.0 SQLite Vulnerabilities Affect Many Programs ∗∗∗ --------------------------------------------- New vulnerabilities in the SQLite database engine affect a wide range of applications that utilize it as a component within their software packages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-magellan-20-sqlite-vulne… ∗∗∗ AVE DOMINAplus 1.10.x Credentials Disclosure Exploit ∗∗∗ --------------------------------------------- The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file /xml/authClients.xml and obtain administrative login information that allows for a successful authentication bypass attack. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php ∗∗∗ AVE DOMINAplus 1.10.x Authentication Bypass Exploit ∗∗∗ --------------------------------------------- DOMINAplus suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php ∗∗∗ AVE DOMINAplus 1.10.x Unauthenticated Remote Reboot ∗∗∗ --------------------------------------------- The application suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php ∗∗∗ AVE DOMINAplus 1.10.x CSRF/XSS Vulnerabilities ∗∗∗ --------------------------------------------- The application suffers from multiple CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script [...] --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php ∗∗∗ Inim Electronics Smartliving SmartLAN/G/SI 6.x Hard-coded Credentials ∗∗∗ --------------------------------------------- The devices utilizes hard-coded credentials within its Linux distribution image. These sets of credentials (Telnet, SSH, FTP) are never exposed to the end-user and cannot be changed through any normal operation of the smart home device. Attacker could exploit this vulnerability by logging in and gain system access. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (freetype, kernel, nss, nss-softokn, nss-util, and thunderbird), Mageia (ghostpcl, libmirage, and spamassassin), Oracle (fribidi), and SUSE (mariadb-100, shibboleth-sp, and slurm). --------------------------------------------- https://lwn.net/Articles/808090/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, fribidi, nss, nss-softokn, nss-util, openslp, and thunderbird), Debian (opensc), and Mageia (389-ds-base, apache, apache-mod_auth_openidc, kernel, libofx, microcode, php, and ruby). --------------------------------------------- https://lwn.net/Articles/808119/ ∗∗∗ CA Client Automation 14.x Privilege Escalation ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2019120108 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-… ∗∗∗ Security Advisory - Integer Overflow Vulnerability in the Linux Kernel (SACK Panic) ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-… ∗∗∗ Security Advisory - Multiple Vulnerabilities in the X.509 Implementation in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-… ∗∗∗ Security Advisory - Missing Integrity Checking Vulnerability on Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-… ∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1110 ∗∗∗ ImageMagick / GraphicsMagick: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1117 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1116 ∗∗∗ Nvidia GeForce Experience: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1114 ∗∗∗ Trend Micro Maximum Security: Schwachstelle ermöglicht Denial of Service oder Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1113 ∗∗∗ Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1120 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2019
by Daily end-of-shift report 23 Dec '19

23 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-12-2019 18:00 − Montag 23-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FBI Issues Alert For LockerGoga and MegaCortex Ransomware ∗∗∗ --------------------------------------------- The FBI has issued a warning to private industry recipients to provide information and guidance on the LockerGoga and MegaCortex Ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockerg… ∗∗∗ Mozi, Another Botnet Using DHT ∗∗∗ --------------------------------------------- Mozi Botnet relies on the DHT protocol to build a P2P network, and uses ECDSA384 and the xor algorithm to ensure the integrity and security of its components and P2P network. The sample spreads via Telnet with weak passwords and some known exploits --------------------------------------------- https://blog.netlab.360.com/mozi-another-botnet-using-dht/ ∗∗∗ Extracting VBA Macros From .DWG Files, (Sun, Dec 22nd) ∗∗∗ --------------------------------------------- I updated my oledump.py tool to help with the analysis of files that embed OLE files, like AutoCAD's .dwg files with VBA macros. --------------------------------------------- https://isc.sans.edu/diary/rss/25634 ∗∗∗ Leveraging Disk Imaging Tools to Deliver RATs ∗∗∗ --------------------------------------------- This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/leveraging-… ∗∗∗ Looking into Attacks and Techniques Used Against WordPress Sites ∗∗∗ --------------------------------------------- This blog post lists different kinds of attacks against WordPress, by way of payload examples we observed in the wild, and how attacks have used hacked admin access and API, Alfa-Shell deployment, and SEO poisoning to take advantage of vulnerable sites. --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mjE1ckQKGtA/ ∗∗∗ Geknackte Zwei-Faktor-Anmeldung: Warum Software Token keine gute Idee sind ∗∗∗ --------------------------------------------- Eine mutmaßlich chinesische Hackergruppe, deren Angriffe bis 2011 zurückgehen, soll einen neuartigen Angriff auf RSA-Software-Token entdeckt haben. --------------------------------------------- https://heise.de/-4622748 ∗∗∗ Jetzt updaten: Cisco ASA 5500-X Series Firewalls aus der Ferne angreifbar ∗∗∗ --------------------------------------------- Eine bereits seit 2018 bekannte ASA-Schwachstelle wird derzeit möglicherweise aktiv ausgenutzt. --------------------------------------------- https://heise.de/-4621541 ∗∗∗ Vorsicht vor GMX-Phishing-Mails ∗∗∗ --------------------------------------------- Zahlreiche LeserInnen melden uns momentan gefährliche Phishing-Mails, mit denen Kriminelle versuchen, an GMX-Konten zu gelangen. GMX-UserInnen müssen sich daher in Acht nehmen, wenn sie plötzlich wegen einer angeblichen Kontosperre, zu einem Login aufgefordert werden. Die Daten und E-Mail-Konten landen in den Händen Krimineller und können für Verbrechen unter fremder Identität genützt werden! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gmx-phishing-mails/ ∗∗∗ War Never Changes: Attacks Against WPA3’s Enhanced Open — Part 2: Understanding OWE ∗∗∗ --------------------------------------------- https://posts.specterops.io/war-never-changes-attacks-against-wpa3s-enhance… ===================== = Vulnerabilities = ===================== ∗∗∗ Patch now: Published Citrix applications leave networks of potentially 80,000 firms at risk from attackers ∗∗∗ --------------------------------------------- Unauthorised users able to perform arbitrary code execution A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access. --------------------------------------------- https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/23/patch_no… ∗∗∗ Sicherheitslücke in Twitter-App für Android ∗∗∗ --------------------------------------------- Über eine Sicherheitslücke in der Twitter-App für Android lässt sich bösartiger Code einschleusen, der private Daten auslesen kann. Ein Update steht bereit. --------------------------------------------- https://heise.de/-4621735 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, cyrus-sasl2, tightvnc, and x2goclient), Fedora (cacti and cacti-spine), openSUSE (mariadb and samba), Oracle (fribidi, git, and python), Red Hat (fribidi, libyang, and qemu-kvm-rhev), Slackware (openssl and tigervnc), and SUSE (firefox, nspr, nss and kernel). --------------------------------------------- https://lwn.net/Articles/808026/ ∗∗∗ Synology-SA-19:43 Drupal ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to upload arbitrary files via a susceptible version of Drupal. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_43 ∗∗∗ F5 Security Advisories ∗∗∗ --------------------------------------------- https://support.f5.com/csp/new-updated-articles ∗∗∗ Security Bulletin: Multiple Vulnerabilities in libpng affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Input Validation Vulnerability in Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-input-validation-vulnerab… ∗∗∗ Security Bulletin: Multiple Vulnerabilities In Redis affects Watson Studio Local (CVE-2018-12453, CVE-2018-12326, CVE-2018-11218) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: JWT Token Check Vulnerability in Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-jwt-token-check-vulnerabi… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Kubernetes affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Watson Studio Local Key Storage Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-studio-local-key-s… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in GNU binutils affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in GNU Binutils affects Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Internal SSL Communication Vulerability in Watson Studio Local (PSIRT-ADV0011800) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-internal-ssl-communicatio… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in OpenSSL affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Samba affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-samba-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2019
by Daily end-of-shift report 20 Dec '19

20 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-12-2019 18:00 − Freitag 20-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ From dropbox(updater) to NT AUTHORITY\SYSTEM ∗∗∗ --------------------------------------------- In this post I’m going to show how to use the DropBoxUpdater service in order to get SYSTEM privileges starting from a simple Windows user. --------------------------------------------- https://decoder.cloud/2019/12/18/from-dropboxupdater-to-nt-authoritysystem/ ∗∗∗ Using WebRTC ICE Servers for Port Scanning in Chrome ∗∗∗ --------------------------------------------- Using the browser to scan a LAN isn’t a new idea. There are many implementations that use XHR requests, websockets, or plain HTML to discover and fingerprint LAN devices. But in this blog, I’ll introduce a new scanning technique using WebRTC ICE servers. This technique is fast and, unlike the other methods, bypasses the blocked ports list. Unfortunately, it only works when the victim is using Chrome. --------------------------------------------- https://medium.com/tenable-techblog/using-webrtc-ice-servers-for-port-scann… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4590 cyrus-imapd - security update ∗∗∗ --------------------------------------------- It was discovered that the lmtpd component of the Cyrus IMAP server created mailboxes with administrator privileges if the fileinto [sieve directive] was used, bypassing ACL checks. --------------------------------------------- https://www.debian.org/security/2019/dsa-4590 ∗∗∗ Field Notice: FN - 70489 - PKI Self-Signed Certificate Expiration in Cisco IOS and Cisco IOS XE Software - Software Upgrade Recommended ∗∗∗ --------------------------------------------- Self-signed X.509 PKI certificates (SSC) that were generated on devices that run affected Cisco IOS® or Cisco IOS XE software releases expire on 2020-01-01 00:00:00 UTC. New self-signed certificates cannot be created on affected devices after 2020-01-01 00:00:00 UTC. Any service that relies on these self-signed certificates to establish or terminate a secure connection might not work after the certificate expires. --------------------------------------------- https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html ∗∗∗ OpenSSL version 1.0.2u published ∗∗∗ --------------------------------------------- The OpenSSL project team is pleased to announce the release of version 1.0.2u of our open source toolkit for SSL/TLS. --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2019-December/000165.html ∗∗∗ VMSA-2019-0023 ∗∗∗ --------------------------------------------- VMware Workstation and Horizon View Agent updates address a DLL-hijacking issue (CVE-2019-5539) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0023.html ∗∗∗ Critical Vulnerability Patched in 301 Redirects – Easy Redirect Manager ∗∗∗ --------------------------------------------- On Friday December 13th, our Threat Intelligence team discovered vulnerabilities present in "301 Redirects – Easy Redirect Manager", a WordPress plugin installed on over 70,000 websites. These weaknesses allowed any authenticated user, even subscribers, to modify, delete, and inject redirect rules that could potentially result in a loss of site availability. We privately disclosed the issue to the plugin’s developer, who was incredibly quick to respond and release a patch. --------------------------------------------- https://www.wordfence.com/blog/2019/12/critical-vulnerability-patched-in-30… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cyrus-imapd and gdk-pixbuf), Fedora (cacti, cacti-spine, and fribidi), Red Hat (fribidi, git, and openstack-keystone), Scientific Linux (fribidi), Slackware (wavpack), and SUSE (firefox, kernel, mariadb, spectre-meltdown-checker, and trousers). --------------------------------------------- https://lwn.net/Articles/807851/ ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Jira Software ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1105 ∗∗∗ Moxa EDS Ethernet Switches ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-353-01 ∗∗∗ Equinox Control Expert ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-353-02 ∗∗∗ WECON PLC Editor ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-353-03 ∗∗∗ Reliable Controls MACH-ProWebCom/Sys ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-353-04 ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozzila Firefox (less than Firefox 68.2.0 ESR) have affected Synthetic Playback Agent 8.1.4.0 – 8.1.4 IF09 + ICAM Synthetic 3.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Various security vulnerabilities in IBM Financial Transaction Manager for SWIFT Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-various-security-vulnerab… ∗∗∗ Security Bulletin: IBM Cognos Business Intelligence has addressed multiple vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-business-intel… ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozzila Firefox (less than Firefox 68.2.0 ESR) have affected Synthetic Playback Agent 8.1.4.0 – 8.1.4 IF09 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ The BIG-IP DNS system may erroneously display the TSIG key secret in plain text form ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36328238?utm_source=f5support&utm_mediu… ∗∗∗ ASM Cloud Security Services authentication vulnerability CVE-2019-6687 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K59957337?utm_source=f5support&utm_mediu… ∗∗∗ Synology-SA-19:42 Intel Processor Vulnerability ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_42 ∗∗∗ Synology-SA-19:41 WordPress ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_41 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2019
by Daily end-of-shift report 19 Dec '19

19 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-12-2019 18:00 − Donnerstag 19-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet Gang Changes Tactics Ahead of the Winter Holidays ∗∗∗ --------------------------------------------- With the end of the year approaching fast, the authors of Emotet have made some changes that may increase their revenue for the holidays. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-gang-changes-tactics-… ∗∗∗ TP-Link Routers Give Cyberattackers an Open Door to Business Networks ∗∗∗ --------------------------------------------- Remote attackers can easily compromise the device and pivot to move laterally through the LAN or WAN. --------------------------------------------- https://threatpost.com/tp-link-routers-cyberattackers-open-door/151254/ ∗∗∗ Microsoft Updates November Security Updates with SharePoint Bug ∗∗∗ --------------------------------------------- Microsoft has added a fresh CVE to its security portal, linking it to the existing November security updates (the patch itself was already included in the updates, but not specifically named). The CVE describes a vulnerability in SharePoint Server. According to a Microsoft Security Advisory, an attacker could exploit the bug (CVE-2019-1491) to obtain sensitive information and then use that information to mount further attacks. --------------------------------------------- https://threatpost.com/microsoft-issues-out-of-band-update-sharepoint-bug/1… ∗∗∗ Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks ∗∗∗ --------------------------------------------- Microsoft Defender ATP data scientists and threat hunters collaborate to use a data science-driven approach to detecting RDP brute force attacks to protect customers against real-world threats. --------------------------------------------- https://www.microsoft.com/security/blog/2019/12/18/data-science-for-cyberse… ∗∗∗ How Websites Are Used to Spread Emotet Malware ∗∗∗ --------------------------------------------- In past posts, we’ve discussed the more popular reasons why hackers target smaller websites. Today, we’ll focus instead on how hackers use compromised websites to spread dangerous malware like Emotet to end user victims. --------------------------------------------- https://blog.sucuri.net/2019/12/how-websites-are-used-to-spread-emotet-malw… ∗∗∗ Zero Day Vulnerability in Deutsche Bahn Ticket Machine Series System uncovered ∗∗∗ --------------------------------------------- Whitehat in action discovers Kiosk Escape & Escalation via Windows PasswordAgent --------------------------------------------- https://www.vulnerability-db.com/?q=articles/2019/12/13/zero-day-vulnerabil… ∗∗∗ Erpressung 2.0: Ransomware-Gangs wollen sensible Firmendaten veröffentlichen ∗∗∗ --------------------------------------------- Die Macher von Maze und Sodinokibi läuten womöglich einen unerfreulichen Trend ein: Sie wollen sensible Dokumente infizierter Unternehmen online stellen. --------------------------------------------- https://heise.de/-4619041 ∗∗∗ Gefälschte Krone.at-Werbung lockt auf Facebook mit gratis iPhones ∗∗∗ --------------------------------------------- Achtung: Auf Facebook kursieren Werbeschaltungen im Namen der Kronen Zeitung. Darin wird behauptet, dass die größte Apple-Lagerhalle gebrannt hat und nun 2173 unbeschädigte iPhones in Österreich verschenkt werden. Das ist frei erfunden und die Werbung stammt nicht von der Kronen Zeitung. Wer sich hier anmeldet, tappt in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-kroneat-werbung-lockt-au… ∗∗∗ 30 years of ransomware: How one bizarre attack laid the foundations for the malware taking over the world ∗∗∗ --------------------------------------------- In December 1989 the world was introduced to the first ever ransomware - and 30 years later ransomware attacks are now at crisis levels. --------------------------------------------- https://www.zdnet.com/article/30-years-of-ransomware-how-one-bizarre-attack… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: December 19, 2019Drupal has released security updates to address vulnerabilities in Drupal 7.x, 8.7.x, and 8.8.x. An attacker could exploit some of these vulnerabilities to modify data on an affected website. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/19/drupal-releases-se… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (git, libgit2, and shadow), Debian (debian-edu-config and python-django), Fedora (python-django), Mageia (apache-commons-beanutils, fence-agents, flightcrew, freerdp, htmldoc, libssh, pacemaker, rsyslog, samba, and sssd), Oracle (freetype and kernel), Scientific Linux (freetype and kernel), SUSE (firefox, spectre-meltdown-checker, thunderbird, xen, and zziplib), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/807711/ ∗∗∗ Synology-SA-19:42 WordPress ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML or bypass security constraint via a susceptible version of WordPress. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_42 ∗∗∗ Security Bulletin: IBM API Connect is impacted by a vulnerability in libexpat ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impact… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in GnuTLS affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in libpng affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in jQuery affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jquery-a… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in libxml2 affects IBM Watson Studio Local ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ PHP: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1099 ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1098 ∗∗∗ Citrix Systems NetScaler Gateway: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1093 ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.12.2019
by Daily end-of-shift report 18 Dec '19

18 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-12-2019 18:00 − Mittwoch 18-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Forthcoming OpenSSL release ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.0.2u. This release will be made available on Friday 20th December 2019 between 1300-1700 UTC. This will contain one LOW severity fix for CVE-2019-1551 previously announced here: https://www.openssl.org/news/secadv/20191206.txt --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2019-December/000164.html ∗∗∗ Betrügerische Zahlungsaufforderungen von top-urlaub.info nicht bezahlen! ∗∗∗ --------------------------------------------- Zahlreiche InternetnutzerInnen berichten uns momentan von betrügerischen Rechnungen und Zahlungsaufforderungen der Next Trip Ltd. Sie stoßen auf eine Werbung auf sozialen Netzwerken, die günstige Urlaubsangebote verspricht. Eine Registrierung führt zu hohen Zahlungsaufforderungen wegen einer angeblich abgeschlossenen Jahresmitgliedschaft. Die Rechnung über 239,90 Euro muss in derartigen Fällen nicht bezahlt werden! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-zahlungsaufforderunge… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Releases Security Updates for Chrome for Windows, Mac, and Linux ∗∗∗ --------------------------------------------- Google has released security updates for Chrome version 79.0.3945.88 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/18/google-releases-se… ∗∗∗ Microsoft Releases Out-of-Band Security Updates ∗∗∗ --------------------------------------------- Microsoft has released out-of-band security updates to address a vulnerability in SharePoint Server. An attacker could exploit this vulnerability to obtain sensitive information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/12/18/microsoft-releases… ∗∗∗ SpamAssassin 3.4.3 available ∗∗∗ --------------------------------------------- Apache SpamAssassin 3.4.3 contains numerous tweaks and bug fixes as we prepare to move to version 4.0.0 with better, native UTF-8 handling. There are a number of functional patches, improvements as well as security reasons to upgrade to 3.4.3. In this release, there are bug fixes for two CVEs. --------------------------------------------- https://lwn.net/Articles/807539/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-edu-config, harfbuzz, libvorbis, and python-ecdsa), Fedora (chromium, fribidi, libssh, and openslp), openSUSE (chromium), Oracle (grub2), Red Hat (rh-maven35-apache-commons-beanutils), SUSE (kernel, libssh, mariadb, samba, and xen), and Ubuntu (openjdk-8, openjdk-lts). --------------------------------------------- https://lwn.net/Articles/807609/ ∗∗∗ Dell XPS 13 2-in-1 (7390): Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/12/warn… ∗∗∗ GE S2020/S2020G Fast Switch 61850 ∗∗∗ --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-351-01 ∗∗∗ Security Advisory - Improper Access Control Vulnerability in Huawei Share ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191218-… ∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Huawei Share ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191218-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191218-… ∗∗∗ Security Advisory - Information Disclosure Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191218-… ∗∗∗ Security Bulletin: vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js by Prototype Pollution vulnerabiliy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in the Linux kernel affect the IBM FlashSystem models V840 and V9000 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is affected by a Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Transformation Advisor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in jackson-databind affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Planning Analytics has addressed a Security Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-ha… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in the Linux kernel affect the IBM FlashSystem models 840 and 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2019
by Daily end-of-shift report 17 Dec '19

17 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Montag 16-12-2019 18:00 − Dienstag 17-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ #include ∗∗∗ --------------------------------------------- Recently I saw a tweet where someone mentioned that you can include /dev/stdin in C code compiled with gcc. This is, to say the very least, surprising. When you see something like this with an IT security background you start to wonder if this can be abused for an attack. --------------------------------------------- https://blog.hboeck.de/archives/898-include-etcshadow.html ∗∗∗ Is it Possible to Identify DNS over HTTPs Without Decrypting TLS? ∗∗∗ --------------------------------------------- Aside from the session length, I found that the payload length for DoH is somewhat telling. DNS queries and responses are usually a couple of hundred bytes long. HTTPS connections, on the other hand, tend to "fill" the MTU. --------------------------------------------- https://isc.sans.edu/diary/rss/25616 ∗∗∗ ESET BlueKeep (CVE‑2019‑0708) Detection‑Tool ∗∗∗ --------------------------------------------- Obwohl die BlueKeep-Schwachstelle (CVE-2019-0708) bisher nicht für weitverbreitetes Chaos sorgte, befindet sie sich doch noch in einem recht frühen Stadium der Exploit-Lebensdauer. Tatsächlich ist es so, dass viele Systeme noch nicht gepatcht sind und eine Version des Exploits als Wurm noch auftauchen könnte. Aufgrund dieser Faktoren stellt ESET ein kostenloses Detection-Tool bereit, das checken soll, ob ein System in Bezug auf BlueKeep verwundbar ist. --------------------------------------------- https://www.welivesecurity.com/deutsch/2019/12/17/eset-bluekeep-detection-t… ∗∗∗ Weihnachtseinkäufe auf Amazon: Vorsicht vor Kriminellen ∗∗∗ --------------------------------------------- Eine Bestellung auf Amazon ist für viele bereits selbstverständlich und mit einer überwiegend positiven Kauferfahrung verbunden. Doch auf Amazon finden sich auch betrügerische Angebote: werden Sie aufgefordert, HändlerInnen vorab per E-Mail zu kontaktieren oder die Zahlung über ein externes Konto und nicht über Amazon abzuwickeln, können Sie von einem unseriösen Angebot ausgehen! --------------------------------------------- https://www.watchlist-internet.at/news/weihnachtseinkaeufe-auf-amazon-vorsi… ===================== = Vulnerabilities = ===================== ∗∗∗ Joomla - [20191202] - Core - Various SQL injections through configuration parameters ∗∗∗ --------------------------------------------- Versions: 2.5.0 - 3.9.13 CVE Number: CVE-2019-19846 The lack of validation of configuration parameters used in SQL queries caused various SQL injection vectors. --------------------------------------------- https://developer.joomla.org/security-centre/797-20191202-core-various-sql-… ∗∗∗ Joomla - [20191201] - Core - Path Disclosure in framework files ∗∗∗ --------------------------------------------- Versions: 3.8.0 - 3.9.13 Number: CVE-2019-19845 Missing access check in framework files could lead to a path disclosure. --------------------------------------------- https://developer.joomla.org/security-centre/796-20191201-core-path-disclos… ∗∗∗ This Bug Could Have Let Anyone Crash WhatsApp Of All Group Members ∗∗∗ --------------------------------------------- WhatsApp, the worlds most popular end-to-end encrypted messaging application, patched an incredibly frustrating software bug that could have allowed a malicious group member to crash the messaging app for all members of the same group, The Hacker News learned. ... Check Point responsibly reported this crash bug to the WhatsApp security team back in late August this year, and the company patched the issue with the release of WhatsApp version 2.19.58 in mid-September. --------------------------------------------- https://thehackernews.com/2019/12/whatsapp-group-crash.html ∗∗∗ CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI ∗∗∗ --------------------------------------------- Telerik UI for ASP.NET AJAX is a widely used suite of UI components for web applications. It insecurely deserializes JSON objects in a manner that results in arbitrary remote code execution on the softwares underlying host. --------------------------------------------- https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in… ∗∗∗ Vulnerabilities in multiple third party TYPO3 CMS extensions ∗∗∗ --------------------------------------------- several vulnerabilities have been found in the following third party TYPO3 extensions: - "MKSamlAuth" (mksamlauth) - "Change password for frontend users" (fe_change_pwd) - "File List" (file_list) - "femanager direct mail subscription" (femanager_dmail_subscribe) - "femanager" (femanager) --------------------------------------------- http://lists.typo3.org/pipermail/typo3-announce/2019/000455.html ∗∗∗ TYPO3 10.2.2, 9.5.13 and 8.7.30 security releases published ∗∗∗ --------------------------------------------- We are announcing the release of the following TYPO3 updates: TYPO3 10.2.2 TYPO3 9.5.13 LTS TYPO3 8.7.30 LTS All versions are security releases and contain important security fixes --------------------------------------------- https://typo3.org/article/typo3-1022-9513-and-8730-security-releases-publis… ∗∗∗ Sicherheitsupdate: Passwortabfrage von TP-Links Archer-Routern umgehbar ∗∗∗ --------------------------------------------- Angreifer könnten eine kritische Sicherheitslücke ausnutzen, um mit Admin-Rechten auf einige Router der Archer-Serie zu zugreifen. --------------------------------------------- https://heise.de/-4616996 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libssh, ruby2.3, and ruby2.5), Fedora (kernel and libgit2), openSUSE (chromium and libssh), Oracle (openslp), Red Hat (container-tools:1.0, container-tools:rhel8, freetype, kernel, and kpatch-patch), Scientific Linux (openslp), SUSE (git and LibreOffice), and Ubuntu (graphicsmagick). --------------------------------------------- https://lwn.net/Articles/807505/ ∗∗∗ Intel Patches Privilege Escalation Flaw in Rapid Storage Technology ∗∗∗ --------------------------------------------- A vulnerability Intel has addressed in the Rapid Storage Technology (RST) could allow a local user to escalate privileges to System. Intel RST is a Windows-based application that is provided with many computers that feature Intel chips to deliver improved performance and reliability when SATA disks are used. --------------------------------------------- https://www.securityweek.com/intel-patches-privilege-escalation-flaw-rapid-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in lodash shipped with PowerAI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a libcgroup vulnerability (CVE-2018-14348) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability has been identified in SQLite shipped with PowerAI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM SDK Oracle Java vunerabilities affect IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-oracle-java-vuner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.12.2019
by Daily end-of-shift report 16 Dec '19

16 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-12-2019 18:00 − Montag 16-12-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PCI Point-to-Point Encryption Standard 3.0 released ∗∗∗ --------------------------------------------- The PCI Security Standards Council (PCI SSC) has updated the PCI Point-to-Point Encryption Standard (P2PE) and supporting program. PCI P2PE Version 3.0 simplifies the process for component and solution providers to validate their P2PE products for cardholder data protection efforts. --------------------------------------------- https://www.helpnetsecurity.com/2019/12/16/pci-point-to-point-encryption-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Javascript: Node-Pakete können Binärdateien unterjubeln ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in den Paketmanangern für Node.js, NPM und Yarn, ermöglicht das Unterschieben und Manipulieren von Binärdateien auf dem Client-System. Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/javascript-node-pakete-koennen-binaerdateien-unte… ∗∗∗ 2019-11-12: Cybersecurity Advisory - Automation Builder 2.2 (and earlier), Drive Application Builder 1.0 ∗∗∗ --------------------------------------------- ABB is aware of public reports of a vulnerability in the product versions listed above. This issue will be fixed by · Version 2.3.0 of Automation Builder. The release of this version is expected for end of Q1 2020 · Version 1.1.0 of Drive Application Builder. The release of this version is expected for end of 2019 An attacker who successfully exploited this vulnerability could insert and run arbitrary JavaScript and/or ActiveX code. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR010465&Language… ∗∗∗ Multiple Vulnerabilities in ABB PB610 PanelBuilder 600 ∗∗∗ --------------------------------------------- ABB is aware of a private report of four vulnerabilities in PB610 Panel Builder 600, versions 2.8.0.424 and earlier, affecting the HMIStudio and HMISimulator components. The vulnerabilities are corrected in version 2.8.0.460. --------------------------------------------- http://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/1520A33C30E2562EC12584D20058… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200 ∗∗∗ --------------------------------------------- The WAGO PFC200 and PFC100 controllers contain multiple exploitable vulnerabilities. The PFC200 is one of WAGO’s programmable automation controllers that are used in many industries including automotive, rail, power engineering, manufacturing and building management. The vulnerabilities disclosed here all have their root cause within the protocol handling code of the I/O Check (iocheckd) configuration... --------------------------------------------- https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-multiple… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (davical, intel-microcode, libpgf, php-horde, spamassassin, spip, and thunderbird), Mageia (clementine, dnsmasq, git, jasper, kdelibs4, kernel, libcroco, libgit2, libvirt, ncurses, openafs, proftpd, qbittorrent, signing-party, squid, and wireshark), openSUSE (java-1_8_0-openjdk and postgresql), Oracle (kernel), Red Hat (chromium-browser and openslp), and SUSE (kernel, libssh, and xen). --------------------------------------------- https://lwn.net/Articles/807412/ ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect z/TPF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: API Connect is impacted by credential caching ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-impacted-b… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Kubernetes shipped with PowerAI Vision ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an abend while processing messages. (CVE-2019-4560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2019
by Daily end-of-shift report 13 Dec '19

13 Dec '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-12-2019 18:00 − Freitag 13-12-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Echobot Variant Exploits 77 Remote Code Execution Flaws ∗∗∗ --------------------------------------------- The Echobot botnet is still after the low hanging fruit as a new variant has been spotted with an increased number of exploits that target unpatched devices, IoT for the most part. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-echobot-variant-exploits… ∗∗∗ All in the (Ransomware) Family: 10 Ways to Take Action ∗∗∗ --------------------------------------------- Check out our list of top 10 things to do to protect your organization from the deepening scourge of ransomware. --------------------------------------------- https://threatpost.com/ransomware-family-10-ways-take-action/151080/ ∗∗∗ Multi-stage downloader Trojan sLoad abuses BITS almost exclusively for malicious activities ∗∗∗ --------------------------------------------- Many of today’s threats evolve to incorporate as many living-off-the-land techniques as possible into the attack chain. The PowerShell-based downloader Trojan known as sLoad, however, puts all its bets on BITS. --------------------------------------------- https://www.microsoft.com/security/blog/2019/12/12/multi-stage-downloader-t… ∗∗∗ Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!, (Fri, Dec 13th) ∗∗∗ --------------------------------------------- Although SSLv3 has been considered obsolete and insecure for a long time, a large number of web servers still support its use. And even though the numbers are much lower, some servers on the web support SSLv2 to this day as well. And, as it turns out, this is true even when it comes to web servers hosting internet banking portals --------------------------------------------- https://isc.sans.edu/diary/rss/25606 ∗∗∗ Unmasking Black Hat SEO for Dating Scams ∗∗∗ --------------------------------------------- Malware obfuscation comes in all shapes and sizes - and it’s sometimes hard to recognize the difference between malicious and legitimate code when you see it. Recently, we came across an interesting case where attackers went a few extra miles to make it more difficult to notice the site infection. --------------------------------------------- https://blog.sucuri.net/2019/12/unmasking-black-hat-seo-for-dating-scams.ht… ∗∗∗ Threat spotlight: The curious case of Ryuk ransomware ∗∗∗ --------------------------------------------- >From comic book death god to ransomware baddie, Ryuk ransomware remains a mainstay when organizations find themselves in a crippling malware pinch. We look at Ryuks origins, attack methods, and how to protect against this ever-present threat. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the… ∗∗∗ Targeted Attacks Deliver New "Anchor" Malware to High-Profile Companies ∗∗∗ --------------------------------------------- TrickBot/Anchor Campaign Could be a New Targeted Magecart Attack Against High-Profile Companies --------------------------------------------- https://www.securityweek.com/targeted-attacks-deliver-new-anchor-malware-hi… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech DiagAnywhere Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for a stack-based buffer overflow vulnerability in the Advantech DiagAnywhere Server. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-346-01 ∗∗∗ Omron PLC CJ and CS Series ∗∗∗ --------------------------------------------- This advisory includes information and mitigation recommendations for authentications vulnerabilities reported in the Omron PLC CJ and CS Series. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-346-02 ∗∗∗ Omron PLC CJ, CS and NJ Series ∗∗∗ --------------------------------------------- This advisory includes information and mitigation recommendations for an authentication related vulnerability in the Omron PLC CJ, CS, and NJ Series. --------------------------------------------- https://www.us-cert.gov/ics/advisories/icsa-19-346-03 ∗∗∗ WordPress 5.3.1 Security and Maintenance Release ∗∗∗ --------------------------------------------- This security and maintenance release features 46 fixes and enhancements. Plus, it adds a number of security fixes - see the list below. --------------------------------------------- https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (knot-resolver and xen), openSUSE (kernel), and SUSE (haproxy, kernel, and openssl). --------------------------------------------- https://lwn.net/Articles/807261/ ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application and IHS server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A cross site scripting security vulnerability has been identified with Case Builder component in IBM Case Manager (CVE-2019-4426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-se… ∗∗∗ Security Bulletin: A cross site scripting security vulnerability has been identified with Case Builder component shipped with IBM Business Automation Workflow (CVE-2019-4426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-se… ∗∗∗ HPESBHF03974 rev.1 - HPE Servers using certain Intel Processors, Local Denial of Service, Disclosure of Information, Escalation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Dovecot: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1076 ∗∗∗ Trend Micro AntiVirus: Schwachstelle ermöglicht Denial of Service oder Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-1077 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily