- Daily - CERT.at

Tageszusammenfassung - 25.10.2018
by Daily end-of-shift report 25 Oct '18

25 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-10-2018 18:00 − Donnerstag 25-10-2018 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ sLoad Banking Trojan Downloader Displays Sophisticated Recon and Targeting ∗∗∗ --------------------------------------------- The sLoad downloader is an example of the stealthy, smart malware trend. --------------------------------------------- https://threatpost.com/sload-banking-trojan-downloader-displays-sophisticat… ∗∗∗ Magecart Cybergang Targets 0days in Third-Party Magento Extensions ∗∗∗ --------------------------------------------- Over two dozen third-party ecommerce plugins contain zero-day vulnerabilities being exploited in a recent Magecart campaign. --------------------------------------------- https://threatpost.com/magecart-cybergang-targets-0days-in-third-party-mage… ∗∗∗ BSI-Mindeststandard zur Protokollierung und Detektion von Cyber-Angriffen ∗∗∗ --------------------------------------------- Cyber-Angriffe auf die IT-Systeme der Bundesverwaltung finden täglich statt. Neben ungezielten Massenangriffen sind die Netze des Bundes auch gezielten Angriffskampagnen ausgesetzt. Um die Detektion von Cyber-Angriffen zu verbessern, hat das Bundesamt für Sicherheit in der Informationstechnik (BSI) einen Mindeststandard zur Protokollierung und der darauf basierenden Erkennung von Cyber-Angriffen definiert. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/Mindeststan… ∗∗∗ EU-Kommission will Zertifizierung für sichere Internetgeräte schaffen ∗∗∗ --------------------------------------------- Die EU arbeitet an einer Verordnung zur Sicherheitszertifizierung, die insbesondere die Geräte im Internet of Things in den Blick nimmt. --------------------------------------------- http://heise.de/-4202642 ∗∗∗ Sicherheitsupdate: Gefährliche Lücke in Cisco Webex Meetings ∗∗∗ --------------------------------------------- Angreifer könnten den Update-Mechanismus von Webex missbrauchen, um eigenen Code auszuführen. Ein Sicherheitsupdate schließt die Schwachstelle. --------------------------------------------- http://heise.de/-4202886 ∗∗∗ Gandcrab: Aktualisiertes Entschlüsselungstool für Erpressungstrojaner ∗∗∗ --------------------------------------------- Opfer der Ransomware Gandcrab in den Versionen 1, 4 und 5 können ihre Daten nun kostenlos entschlüsseln. --------------------------------------------- http://heise.de/-4203283 ∗∗∗ Sextortion emails: They're probably not watching you ∗∗∗ --------------------------------------------- Yes, those sextortion email scams using old passwords are still making the rounds. How can you spot a real sextortion attempt from an empty threat? And when should you report to authorities? Read on to find out. --------------------------------------------- https://blog.malwarebytes.com/101/2018/10/sextortion-emails-theyre-probably… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Webex Meetings Desktop App Update Service Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user.The vulnerability is due to insufficient validation of user-supplied parameters. An attacker could exploit this vulnerability by invoking the update service command with a crafted argument. An exploit could allow the attacker to run arbitrary commands with SYSTEM user privileges. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Xen Security Advisory 278 v1 - x86: Nested VT-x usable even when disabled ∗∗∗ --------------------------------------------- When running HVM guests, virtual extensions are enabled in hardware because Xen is using them. As a result, a guest can blindly execute the virtualisation instructions, and will exit to Xen for processing. --------------------------------------------- https://lists.xenproject.org/archives/html/xen-announce/2018-10/msg00000.ht… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (389-ds-base, clamav, firefox-esr, and mosquitto), openSUSE (Chromium and firefox), Oracle (firefox and kernel), Red Hat (chromium-browser, firefox, java-1.6.0-sun, java-1.7.0-oracle, and java-1.8.0-oracle), SUSE (dom4j, exempi, mercurial, ntp, python-cryptography, tiff, tomcat, and webkit2gtk3), and Ubuntu (audiofile and firefox). --------------------------------------------- https://lwn.net/Articles/769529/ ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSH affects AIX (CVE-2018-15473) Security Bulletin ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10733751 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM OS Image for Red Hat Linux Systems on IBM PureApplication ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10728607 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Platform Symphony and IBM Spectrum Symphony ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10732846 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in WebSphere Application Server Admin Console affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1770, CVE-2018-1777) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10737065 ∗∗∗ IBM Security Bulletin: Rational DOORS Web Access is affected by Apache Tomcat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=ibm10735863 ∗∗∗ IBM Security Bulletin: A vulnerability in Samba affects IBM OS Image for Red Hat Linux Systems on IBM PureApplication (CVE-2018-1050) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10728649 ∗∗∗ IBM Security Bulletin : IBM Storwize V7000 Unified is affected by multiple GSKit vulnerabilities in GPFS ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10734249 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager is affected by multiple vulnerabilities in GSKit ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016890 ∗∗∗ IBM Security Bulletin: IBM WebSphere Commerce could allow some server-side code injection (CVE-2018-1808) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10735905 ∗∗∗ Reflected XSS vulnerability in an undisclosed Configuration utility page CVE-2018-15315 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41704442 Next End-of-Day report: 2018-10-29 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2018
by Daily end-of-shift report 24 Oct '18

24 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-10-2018 18:00 − Mittwoch 24-10-2018 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Key New Security Features & Capabilities to Know in Windows 10 ∗∗∗ --------------------------------------------- Last year's WannaCry and Petya malware outbreaks couldn't breach Windows 10's latest security defenses, but companies still running outdated [...] --------------------------------------------- https://www.beyondtrust.com/blog/key-new-security-features-in-windows-10/ ∗∗∗ Hacker Discloses New Windows Zero-Day Exploit On Twitter ∗∗∗ --------------------------------------------- A security researcher with Twitter alias SandboxEscaper—who two months ago publicly dropped a zero-day exploit for Microsoft Windows Task Scheduler—has yesterday released another proof-of-concept exploit for a new Windows zero-day vulnerability. --------------------------------------------- https://thehackernews.com/2018/10/windows-zero-day-exploit.html ∗∗∗ Sicherheitsupdates: Backup-Software von Arcserve kann Daten leaken ∗∗∗ --------------------------------------------- Angreifer könnten unberechtigt auf Daten von Host-Systemen, auf denen die Backup-Lösung Arcserve Unified Data Protection läuft, zugreifen. --------------------------------------------- http://heise.de/-4202167 ∗∗∗ Einkaufsbetrug mit gefälschten Smile Bank-Nachrichten ∗∗∗ --------------------------------------------- Privatverkäufer/innen erhalten Nachrichten von Kriminellen. Sie geben vor, im Ausland zu sein und wollen die angebotene Ware kaufen. Sie überweisen angeblich einen überhöhten Geldbetrag an ihre Vertragspartner/innen. Das sollen gefälschte Smile Bank-Nachrichten belegen. Schließlich sollen Verkäufer/innen den Differenzbetrag und die Ware ins Ausland senden. Dadurch verlieren sie ihre personenbezogenen Daten, ihr Geld und ihre Produkte an Betrüger/innen. --------------------------------------------- https://www.watchlist-internet.at/news/einkaufsbetrug-mit-gefaelschten-smil… ∗∗∗ Nike-Markenfälscher auf coldenemy.com ∗∗∗ --------------------------------------------- Die neuesten Schuhe von Nike um 70 Prozent vergünstigt? Das gibt's auf coldenemy.com. Wer hier bestellt, erhält minderwertige Ware, die nichts mit dem gekauften Produkt zu tun hat. Außerdem gelangen Kredit- und Personendaten in die Hände von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/nike-markenfaelscher-auf-coldenemyco… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory includes mitigations for stack-based buffer overflow, external control of file name or path, improper privilege management, and path traversal vulnerabilities in Advantechs WebAccess. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-296-01 ∗∗∗ GAIN Electronic Co. Ltd SAGA1-L Series ∗∗∗ --------------------------------------------- This advisory includes mitigations for authentication bypass by capture-relay, improper access control, and improper authentication vulnerabilities in GAIN Electronics SAGA1-L series transmitters. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-296-02 ∗∗∗ Telecrane F25 Series ∗∗∗ --------------------------------------------- This advisory includes mitigations for an authentication bypass by capture-replay vulnerability in the Telecrane F25 Series software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-296-03 ∗∗∗ BitDefender Digital Signature Bypass Lets Remote Users Execute Arbitrary Code ∗∗∗ --------------------------------------------- A remote user can cause arbitrary code that is located elsewhere to be executed on the target users system due to a bypass of the digital signature GravityZone verification tools. Additional information is available at: https://labs.nettitude.com/blog/cve-2018-8955-bitdefender-gravityzone-arbit… --------------------------------------------- https://www.securitytracker.com/id/1041940 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (hesiod, lighttpd, and opencc), openSUSE (apache-pdfbox, net-snmp, pam_pkcs11, rpm, tiff, udisks2, and wireshark), SUSE (dhcp, ghostscript-library, ImageMagick, libraw, net-snmp, ntp, postgresql96, rust, tiff, xen, and zziplib), and Ubuntu (mysql-5.5, mysql-5.7). --------------------------------------------- https://lwn.net/Articles/769415/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ October 23, 2018 TNS-2018-13 [R1] LCE 5.1.1 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-13 ∗∗∗ October 23, 2018 TNS-2018-14 [R1] Nessus 8.0.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-14 ∗∗∗ Security vulnerabilities fixed in Firefox ESR 60.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/ ∗∗∗ Security vulnerabilities fixed in Firefox 63 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2018
by Daily end-of-shift report 23 Oct '18

23 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Montag 22-10-2018 18:00 − Dienstag 23-10-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious Powershell using a Decoy Picture ∗∗∗ --------------------------------------------- I found another interesting piece of malicious Powershell while hunting. The file size is 1.3MB and most of the file is a PE file Base64 encoded. You can immediately detect it by checking the first characters of the string: [...] --------------------------------------------- https://isc.sans.edu/forums/diary/Malicious+Powershell+using+a+Decoy+Pictur… ∗∗∗ Jetzt patchen! Scanner und Exploits für kritische libssh-Lücke aufgetaucht ∗∗∗ --------------------------------------------- Da das Angriffsrisiko wächst, sollten Admins zügig die aktuelle libssh-Version auf Servern installieren. --------------------------------------------- http://heise.de/-4198976 ∗∗∗ Serverless botnets could soon become reality ∗∗∗ --------------------------------------------- We have been accustomed to think about botnets as a network of compromised machines – personal devices, IoT devices, servers – waiting for their masters' orders to begin their attack, but Protego researchers say that many compromised machines are definitely not a requirement: botnets can quite as easily be comprised of serverless functions. --------------------------------------------- https://www.helpnetsecurity.com/2018/10/23/serverless-botnets/ ∗∗∗ Who Is Agent Tesla? ∗∗∗ --------------------------------------------- A powerful, easy-to-use password stealing program known as Agent Tesla has been infecting computers since 2014, but recently this malware strain has seen a surge in popularity - attracting more than 6,300 customers who pay monthly fees to license the software. Although Agent Tesla includes a multitude of features designed to help it remain undetected on host computers, the malwares apparent creator seems to have done little to hide his real-life identity. --------------------------------------------- https://krebsonsecurity.com/2018/10/who-is-agent-tesla/ ∗∗∗ Betrug mit Euro-Lottosystem & Goggins-Transport ∗∗∗ --------------------------------------------- Konsument/innen erhalten eine betrügerische E-Mail, in der es heißt, dass sie bei einem Euro-Lottosystem 97.000 Euro gewonnen haben. Sie sollen Geld an Goggings-Transport bezahlen, damit sie den Preis ausbezahlt bekommen. Es folgen weitere Zahlungsaufforderungen. Mit jeder Bezahlung verliert das Opfer Geld, denn den Gewinn gibt es nicht. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-euro-lottosystem-goggins-… ∗∗∗ Konsolen-kobold.de liefert keine Ware! ∗∗∗ --------------------------------------------- Kaufen Sie nicht auf konsolen-kobold.de ein. Die dort angebotenen Playstations, Xboxen, Nintendos und Spiele sind zwar verlockend günstig, werden aber auch nicht geliefert! Bezahlt wird per Vorkasse und Ihr Geld ist somit weg. --------------------------------------------- https://www.watchlist-internet.at/news/konsolen-koboldde-liefert-keine-ware/ ∗∗∗ CVE-2018–8414: A Case Study in Responsible Disclosure ∗∗∗ --------------------------------------------- The process of vulnerability disclosure can be riddled with frustrations, concerns about ethics, and communication failure. I have had tons of bugs go well. I have had tons of bugs go poorly. --------------------------------------------- https://posts.specterops.io/cve-2018-8414-a-case-study-in-responsible-discl… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.8.0-openjdk), Fedora (mosquitto), openSUSE (binutils, clamav, exiv2, fuse, haproxy, singularity, and zziplib), Slackware (firefox), SUSE (apache-pdfbox, net-snmp, pam_pkcs11, postgresql94, rpm, tiff, and wireshark), and Ubuntu (kernel, libssh, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-azure, linux-lts-trusty, linux-lts-xenial, linux-aws, net-snmp, paramiko, requests, and texlive-bin). --------------------------------------------- https://lwn.net/Articles/769300/ ∗∗∗ IBM Security Bulletin: IBM BladeCenter Switch Modules are affected by information disclosure vulnerability (CVE-2014-8730) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10736107 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in OpenSLP (CVE-2017-17833) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10735359 ∗∗∗ IBM Security Bulletin: Vulnerabilities in GNU OpenSSL affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10734825 ∗∗∗ IBM Security Bulletin: IBM WebSphere Commerce could allow a remote attacker to obtain sensitive information (CVE-2018-1811) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10735589 ∗∗∗ IBM Security Bulletin: An Information Disclosure Vulnerability affects WebSphere Commerce (CVE-2018-1809) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732972 ∗∗∗ IBM Security Bulletin: A authenticated open redirect vulnerability affects IBM WebSphere Commerce Accelerator Tool (CVE-2018-1807) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10735581 ∗∗∗ IBM Security Bulletin: An Information Disclosure Vulnerability affects WebSphere Commerce (CVE-2018-1806) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10733149 ∗∗∗ IBM Security Bulletin: A cross site scripting vulnerability affects IBM WebSphere Commerce Accelerator tool (CVE-2018-1541) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731225 ∗∗∗ IPsec IKEv1 vulnerability CVE-2018-5389 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42378447 ∗∗∗ Linux kernel vulnerability CVE-2018-14634 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K20934447 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2018
by Daily end-of-shift report 22 Oct '18

22 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-10-2018 18:00 − Montag 22-10-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Remote Code Execution Flaws Found in FreeRTOS - Popular OS for Embedded Systems ∗∗∗ --------------------------------------------- FreeRTOS, the open-source operating system that powers most of the small microprocessors and microcontrollers in smart homes and critical infrastructure systems has 13 vulnerabilities, a third of them allowing remote code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/remote-code-execution-flaws-… ∗∗∗ Sicherheitsupdate: Ein Klick zu viel und Microsoft Yammer führt Schadcode aus ∗∗∗ --------------------------------------------- Es gibt einen wichtigen Patch für die Desktop-Anwendung von Yammer. --------------------------------------------- http://heise.de/-4198055 ∗∗∗ Jetzt patchen! Kritische Lücke in den Mediaplayern VLC und MPlayer ∗∗∗ --------------------------------------------- Angreifer könnten Nutzer der Medienabspieler VLC und MPlayer mit vergleichsweise wenig Aufwand attackieren. --------------------------------------------- http://heise.de/-4198129 ∗∗∗ l+f: Snackautomaten-Flatrate ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher wird zum Snackosaurus. --------------------------------------------- http://heise.de/-4198336 ∗∗∗ TCP/IP, Sockets, and SIGPIPE ∗∗∗ --------------------------------------------- There is a spectre haunting the Internet - the spectre of SIGPIPE errors. Its a bug in the original design of Unix networking from 1981 that is perpetuated by college textbooks, which teach students to ignore it. As a consequence, sometimes software unexpectedly crashes. This is particularly acute on industrial and medical networks, where security professionals cant run port/security scans for fear of crashing critical devices. --------------------------------------------- https://blog.erratasec.com/2018/10/tcpip-sockets-and-sigpipe.html ∗∗∗ Warnung vor verda-maehroboter.de ∗∗∗ --------------------------------------------- Der betrügerische Online-Shop verda-maehroboter.de verkauft günstige Mähroboter und Rasentraktoren. Wer bei ihm einkauft, verliert sein Geld und seine Identität an Verbrecher/innen. Zu einer Warenlieferung kommt es nicht. Der Fake-Shop verda-maehroboter.de ist mithilfe einer Internetrecherche, eines Preisvergleichs und einer Überprüfung der Zahlungsmethoden erkennbar. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-verda-maehroboterde/ ∗∗∗ Let's talk about PAKE ∗∗∗ --------------------------------------------- The first rule of PAKE is: nobody ever wants to talk about PAKE. The second rule of PAKE is that this is a shame, because PAKE — which stands for Password Authenticated Key Exchange — is actually one of the most useful technologies that (almost) never gets used. It should be deployed everywhere, and yet it isn't. --------------------------------------------- https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/ ===================== = Vulnerabilities = ===================== ∗∗∗ libssh Authentication Bypass Vulnerability Affecting Cisco Products: October 2018 ∗∗∗ --------------------------------------------- A vulnerability in libssh could allow an unauthenticated, remote attacker to bypass authentication on a targeted system.The vulnerability is due to improper authentication operations by the server-side state machine of the affected software. An attacker could exploit this vulnerability by presenting a SSH2_MSG_USERAUTH_SUCCESS message to a targeted system. A successful exploit could allow the attacker to bypass authentication and gain unauthorized access to a targeted system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ SECURITY BULLETIN: Trend Micro Antivirus for Mac (Consumer) Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- Trend Micro has released fixes for the Trend Micro Antivirus for Mac family of consumer products which resolve vulnerabilities that could allow an attacker to escalate privileges on a vulnerable system that they otherwise would not have had access to. --------------------------------------------- https://esupport.trendmicro.com/en-US/home/pages/technical-support/1121296.… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (thunderbird), Debian (drupal7, exiv2, and ghostscript), Fedora (apache-commons-compress, git, libssh, and patch), Mageia (389-ds-base, calibre, clamav, docker, ghostscript, glib2.0, libtiff, mgetty, php-smarty, rust, tcpflow, and vlc), openSUSE (Chromium, icinga, and libssh), and SUSE (clamav, fuse, GraphicsMagick, haproxy, libssh, thunderbird, tomcat, udisks2, and Xerces-c). --------------------------------------------- https://lwn.net/Articles/769163/ ∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jul 2018 – Includes Oracle Jul 2018 CPU affects IBM Tivoli Composite Application Manager for Transactions ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10735807 ∗∗∗ IBM Security Bulletin: Vulnerabilities in GNU binutils affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733785 ∗∗∗ BIG-IP-reflected XSS vulnerability in an undisclosed Configuration utility page CVE-2018-15315 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41704442 ∗∗∗ PEPPERL+FUCHS ecom Mobile devices prone to Android privilege elevation vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2018-016 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2018
by Daily end-of-shift report 19 Oct '18

19 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-10-2018 18:00 − Freitag 19-10-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SSH Key Management Overview & 6 Best Practices ∗∗∗ --------------------------------------------- Secure Socket Shell (SSH), also called Secure Shell, is a special network protocol leveraging .. --------------------------------------------- https://www.beyondtrust.com/blog/ssh-key-management-overview-6-best-practic… ∗∗∗ How we discovered a Ukranian cybercrime hotspot ∗∗∗ --------------------------------------------- Our researchers wanted to take a closer look at the GandCrab ransomware. Then they found an entire cybercrime network, operating from Ukraine. --------------------------------------------- https://www.gdatasoftware.com/blog/2018/10/31187-ukranian-cybercrime-hotspo… ∗∗∗ The Underground Job Market ∗∗∗ --------------------------------------------- "Leave your ego at the door every morning, and just do some truly great work. Few things will make you feel better than a job brilliantly done." Robin S. Sharma The last time we visited the .. --------------------------------------------- https://trustwave.com/Resources/SpiderLabs-Blog/The-Underground-Job-Market/ ∗∗∗ Hack.lu 2018 Wrap-Up Day #3 ∗∗∗ --------------------------------------------- Here we go with the last wrap-up of the 2018 edition! The first presentation was about worms: “Worms that turn: nematodes and neotodes” by Matt Wixey. The first slide contained the mention: “for educational purposes only”. What could we .. --------------------------------------------- https://blog.rootshell.be/2018/10/18/hack-lu-2018-wrap-up-day-3/ ∗∗∗ Jetzt patchen! Kritische Lücken in Drupal gefährden ganze Websites ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen sollten Web-Admins zügig ihre Drupal-Installation auf den aktuellen Stand bringen. --------------------------------------------- http://heise.de/-4196243 ∗∗∗ Sicherheitslücke in jQuery-File-Upload Plug-in macht unzählige Server verwundbar ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für das jQuery-File-Upload-Plug-in erschienen. Eine globale Installation ist jedoch utopisch. --------------------------------------------- http://heise.de/-4196771 ∗∗∗ Encrypted SNI Comes to Firefox Nightly ∗∗∗ --------------------------------------------- TL;DR: Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension, which helps prevent attackers on your network from learning your browsing history. You can enable encrypted SNI today and .. --------------------------------------------- https://blog.mozilla.org/security/2018/10/18/encrypted-sni-comes-to-firefox… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4323 drupal7 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4323 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2018
by Daily end-of-shift report 18 Oct '18

18 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-10-2018 18:00 − Donnerstag 18-10-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hack.lu 2018 Wrap-Up Day #2 ∗∗∗ --------------------------------------------- The second day started early with an eye-opener talk: “IPC – the broken dream of inherent security” by Thanh Bui. IPC or “Inter-Process Communications” are everywhere. You can compare them as a network connection between a .. --------------------------------------------- https://blog.rootshell.be/2018/10/17/hack-lu-2018-wrap-up-day-2/ ∗∗∗ Sicherheitslücken-Cocktail bringt D-Link-Router zu Fall ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher kombiniert drei Sicherheitslücken und erlangt die volle Kontrolle über D-Link-Router. Patches gibt es noch nicht. --------------------------------------------- http://heise.de/-4195134 ∗∗∗ Distrust of the Symantec PKI: Immediate action needed by site operators ∗∗∗ --------------------------------------------- Chrome 70 has now been released to the Stable Channel, and users will start to see full screen interstitials on sites which still use certificates issues by the Legacy Symantec .. --------------------------------------------- https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.… ∗∗∗ VestaCP compromised in a new supply-chain attack ∗∗∗ --------------------------------------------- Customers see their admin credentials stolen and their servers infected with .. --------------------------------------------- https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-dist… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-PSA-2018-001: By-passing Protection of PharStreamWrapper Interceptor ∗∗∗ --------------------------------------------- It has been discovered that the protection against insecure deserialization can be by-passed in PharStreamWrapper component. --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2018-001/ ∗∗∗ Drupal Core - Multiple Vulnerabilities - SA-CORE-2018-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2018-006 ∗∗∗ Drupal Core - 3rd-party libraries -SA-CORE-2018-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/SA-CORE-2018-005 ∗∗∗ HTML Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-069 ∗∗∗ Mime Mail - Critical - Remote Code Execution - SA-CONTRIB-2018-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-068 ∗∗∗ Cisco Wireless LAN Controller Software Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2018
by Daily end-of-shift report 17 Oct '18

17 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-10-2018 18:00 − Mittwoch 17-10-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Injecting Code into Windows Protected Processes using COM - Part 1 ∗∗∗ --------------------------------------------- Posted by James Forshaw, Google Project ZeroAt Recon Montreal 2018 I presented "Unknown Known DLLs and other Code Integrity Trust Violations" with Alex Ionescu. We described the implementation of Microsoft Windows' Code Integrity mechanisms and how Microsoft implemented Protected Processes (PP). As part of that I demonstrated various ways of bypassing Protected Process Light (PPL), some requiring administrator privileges, others not. --------------------------------------------- https://googleprojectzero.blogspot.com/2018/10/injecting-code-into-windows-… ∗∗∗ Multiple D-Link Routers Open to Complete Takeover with Simple Attack ∗∗∗ --------------------------------------------- The vendor only plans to patch two of the eight impacted devices, according to a researcher. --------------------------------------------- https://threatpost.com/multiple-d-link-routers-open-to-complete-takeover-wi… ∗∗∗ Party like its 1987... SVGA code bug haunts VMwares house, lets guests flee to host OS ∗∗∗ --------------------------------------------- Malicious code in VMs can leap over ESXi, Workstation, Fusion hypervisor security Get busy, VMware admins and users: the virtualisation virtuoso has patched a programming blunder in ESXi, Workstation Pro and Player, and Fusion and Fusion Pro products that can be exploited by malicious code to jump from guest OS to host machine. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/10/17/vmware_svga… ∗∗∗ Warnung vor gefälschtem A1-Update ∗∗∗ --------------------------------------------- Konsument/innen erhalten eine angebliche Nachricht von A1, in der es heißt, dass der Mobilfunkanbieter ein Update für sie bereit stellt. Kund/innen sollen es installieren, damit sie weiterhin das Mobilfunknetz des Anbieters nutzen können. Kommen sie der Aufforderung nach, installieren sie Schadsoftware auf ihrem Smartphone. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-gefaelschtem-a1-update/ ∗∗∗ IT-Sicherheit - 100.000 Geräte: "Netter" Hacker entfernt ungefragt Sicherheitslücken ∗∗∗ --------------------------------------------- Seit April sind verheerende Sicherheitslücken bei Routern der Marke Mikrotik bekannt - vom Hersteller gibt es kein Update --------------------------------------------- https://derstandard.at/2000089517357/Netter-Hacker-entfernt-ungefragt-Siche… ∗∗∗ Persistent Credential Theft with Authorization Plugins ∗∗∗ --------------------------------------------- Credential theft is often one of the first tactics leveraged by attackers once they’ve escalated privileges on a victim’s machine. Credential theft on OSX has become more difficult with the introduction of System Integrity Protection (SIP). Attackers can no longer use methods such as extracting the master keys from the securityd process and decrypting the victim’s login keychain. An example of this can be seen here. --------------------------------------------- https://posts.specterops.io/persistent-credential-theft-with-authorization-… ===================== = Vulnerabilities = ===================== ∗∗∗ Omron CX-Supervisor ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper restriction of operations within the bounds of a memory buffer, out-of-bounds read, use-after-free, and incorrect type conversion or cast vulnerabilities in Omrons CX-Supervisor software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-290-01 ∗∗∗ Authentication bypass in server code in libssh ∗∗∗ --------------------------------------------- There is a vulnerability within the server code which can enable a client to bypass the authentication process and set the internal state machine maintained by the library to authenticated, enabling the (otherwise prohibited) creation of channels. --------------------------------------------- https://www.libssh.org/security/advisories/CVE-2018-10933.txt ∗∗∗ VMSA-2018-0026 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, and Fusion updates address an out-of-bounds read vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0026.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (tomcat), Debian (asterisk, graphicsmagick, and libpdfbox-java), openSUSE (apache2 and git), Oracle (tomcat), Red Hat (kernel and Satellite 6.4), Slackware (libssh), SUSE (binutils, ImageMagick, and libssh), and Ubuntu (clamav, libssh, moin, and paramiko). --------------------------------------------- https://lwn.net/Articles/768617/ ∗∗∗ Synology-SA-18:55 DSM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to obtain sensitive information via a susceptible version of Synology Diskstation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_55 ∗∗∗ Oracle Critical Patch Update Advisory - October 2018 ∗∗∗ --------------------------------------------- https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html ∗∗∗ Solaris Third Party Bulletin - October 2018 ∗∗∗ --------------------------------------------- http://www.oracle.com/technetwork/topics/security/bulletinoct2018-5139632.h… ∗∗∗ Security Advisory - Information Leak Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20181017-… ∗∗∗ HPESBHF03891 rev.1 - HPE UIoT, Remote Unauthorized Access ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2018
by Daily end-of-shift report 16 Oct '18

16 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Montag 15-10-2018 18:00 − Dienstag 16-10-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ pEp-Foundation hat Sicherheitslücke in Enigmail/pEp geschlossen ∗∗∗ --------------------------------------------- Die pEp-Foundation hat eine Sicherheitslücke gestopft: Das Add-on Enigmail unter Windows hatte vorgeblich verschlüsselte Mails im Klartext verschickt. --------------------------------------------- http://heise.de/-4191426 ∗∗∗ Android 9 Pie: Google knüpft Backup-Verschlüsselung an gerätespezifische Passcodes ∗∗∗ --------------------------------------------- Der Zugriff auf Anwendungsdaten in Androids Cloud-Backups erfordert künftig einen Entschlüsselungskey, den selbst Google nicht kennt. --------------------------------------------- http://heise.de/-4191017 ∗∗∗ Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox ∗∗∗ --------------------------------------------- Cisco Talos has discovered a new malware campaign that drops the sophisticated information-stealing trojan called "Agent Tesla," and other malware such as the Loki information stealer. Initially, Talos telemetry systems detected a .. --------------------------------------------- https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new… ∗∗∗ Phishers are after something unusual in ploy targeting book publishers ∗∗∗ --------------------------------------------- In a new twist on the theme, the scammers have their sights set on book manuscripts, among other .. --------------------------------------------- http://feedproxy.google.com/~r/eset/blog/~3/lABhPeu59as/ ∗∗∗ Fake-Shop-Alarm auf macbooks-billiger.de ∗∗∗ --------------------------------------------- Auf macbooks-billiger.de werden Apple-Produkte, wie MacBooks, iPhones, Apple Watches und iPads zu konkurrenzlos günstigen Preisen angeboten. Wie das geht, fragen Sie? Die Antwort lautet „Betrug!“. Sie .. --------------------------------------------- https://www.watchlist-internet.at/index.php?id=71&tx_news_pi1[news]=3169&tx… ∗∗∗ Removing Old Versions of TLS ∗∗∗ --------------------------------------------- In March of 2020, Firefox will disable support for TLS 1.0 and TLS 1.1. On the Internet, 20 years is an eternity. TLS 1.0 will be 20 years old in January 2019. In that time, TLS has protected .. --------------------------------------------- https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4319 spice - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4319 ∗∗∗ DSA-4318 moin - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4318 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2018
by Daily end-of-shift report 15 Oct '18

15 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-10-2018 18:00 − Montag 15-10-2018 18:00 Handler: Alexander Riepl Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ l+f: Krypto-Miner hegt und pflegt Flash ∗∗∗ --------------------------------------------- Ein Trojaner tut erst Gutes und dann Böses. --------------------------------------------- http://heise.de/-4190878 ∗∗∗ Patching, Re-Patching and Meta-Patching the Jet Database Engine RCE (CVE-2018-8423) ∗∗∗ --------------------------------------------- Flawed Patches Will Always Happen, But We Can Change How They Get Fixed by Mitja Kolsek, the 0patch TeamTL;DR: Microsoft patched CVE-2018-8423 eighteen days after we had micropatched it. Their official patch turned out to be incomplete so we re-micropatched it.This is a story about a Windows vulnerability that was reported to Microsoft, published as "0day" before the official patch was available, micropatched by us one day later, subsequently patched by Microsoft, found to be [...] --------------------------------------------- https://blog.0patch.com/2018/10/patching-re-patching-and-meta-patching.html ∗∗∗ Datendiebstahl mit gefälschter WhatsApp-Rechnung ∗∗∗ --------------------------------------------- Datendiebe versenden eine gefälschte WhatsApp-Rechnung per E-Mail. Darin behaupten sie in betrügerischer Absicht, dass Konsument/innen für den Messenger bezahlen müssen. Dazu sollen sie auf einer Website ihre Kreditkartendaten und ihren TAN-Code bekannt geben. Das führt zur Übermittlung der Informationen an Kriminelle. Dadurch verlieren Opfer ihr Geld und ihre Identität an Datendiebe. --------------------------------------------- https://www.watchlist-internet.at/news/datendiebstahl-mit-gefaelschter-what… ∗∗∗ IT-Security - "PHP-Zeitbombe": 62 Prozent aller Internetseiten sind bald unsicher ∗∗∗ --------------------------------------------- Mit Ende des Jahres endet der Support für PHP 5.6, das immer noch vielfach genutzt wird --------------------------------------------- https://derstandard.at/2000089376436/PHP-Zeitbombe-62-Prozent-aller-Interne… ===================== = Vulnerabilities = ===================== ∗∗∗ MS-ISAC Releases Advisory on PHP Vulnerabilities ∗∗∗ --------------------------------------------- The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit some of these vulnerabilities to take control of an affected system.NCCIC encourages users and administrators to review MS-ISAC Advisory 2018-113 and the PHP Downloads page and apply the necessary updates. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/10/12/MS-ISAC-Releases-A… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (wireshark-cli), Debian (imagemagick, otrs2, tomcat7, and wireshark), Fedora (ca-certificates, dislocker, dolphin-emu, kernel-headers, kernel-tools, libgit2, mbedtls, mingw-openjpeg2, nekovm, openjpeg2, patch, strongswan, and thunderbird), Mageia (firefox, git, nextcloud, and texlive), Oracle (kernel and openssl), Scientific Linux (spamassassin), SUSE (libtirpc), and Ubuntu (requests). --------------------------------------------- https://lwn.net/Articles/768406/ ∗∗∗ Security Advisory - Arbitrary Memory Read Write Vulnerability in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170306-… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2018-11763 in the IBM i HTTP Server affects IBM i. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10735045 ∗∗∗ IBM Security Bulletin: Potential cross-site scripting vulnerability in the WebSphere Application Server Admin Console (CVE-2018-1777) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10730631 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2018
by Daily end-of-shift report 12 Oct '18

12 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-10-2018 18:00 − Freitag 12-10-2018 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Proof-of-Concept-Code für Windows-Lücke veröffentlicht ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher zeigt, wie er mit einem vergleichsweise simplen Skript aus dem Browser Edge heraus eine andere Anwendung startet. --------------------------------------------- http://heise.de/-4189565 ∗∗∗ Adaptable, All-in-One Android Trojan Shows the Future of Malware ∗∗∗ --------------------------------------------- GPlayed may be the new face of malware -- flexible and adaptable, with a Swiss Army knife-like toolbox that can be used to target pretty much anyone. --------------------------------------------- https://threatpost.com/adaptable-all-in-one-android-trojan-shows-the-future… ∗∗∗ New Drupalgeddon Attacks Enlist Shellbot to Open Backdoors ∗∗∗ --------------------------------------------- Drupalgeddon 2.0 vulnerability is being exploited again by attackers using a time-honored technique of Shellbot, or PerlBot. --------------------------------------------- https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-bac… ∗∗∗ Google Adds Control-Flow Integrity to Beef up Android Kernel Security ∗∗∗ --------------------------------------------- Google has added a new security feature to the latest Linux kernels for Android devices to prevent it against code reuse attacks that allow attackers to achieve arbitrary code execution by exploiting control-flow hijacking vulnerabilities. --------------------------------------------- https://thehackernews.com/2018/10/android-linux-kernel-cfi.html ∗∗∗ AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide ∗∗∗ --------------------------------------------- This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and the United States. In it we highlight the use of five publicly available tools, which have been used for malicious purposes in recent cyber incidents around the world. --------------------------------------------- https://www.us-cert.gov/ncas/alerts/AA18-284A ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (net-snmp), Fedora (php-horde-nag), openSUSE (git, java-1_8_0-openjdk, libxml2, mgetty, moinmoin-wiki, postgresql10, and soundtouch), Oracle (spamassassin), Red Hat (spamassassin), SUSE (apache2, axis, kernel, libX11 and libxcb, and texlive), and Ubuntu (clamav, git, and texlive-bin). --------------------------------------------- https://lwn.net/Articles/768244/ ∗∗∗ NUUO NVRmini2 and NVRsolo ∗∗∗ --------------------------------------------- This advisory includes mitigations for stack-based buffer overflow and leftover debug code vulnerabilities in NUUOs NVRmini2 and NVRsolo network video recorders. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-01 ∗∗∗ NUUO CMS ∗∗∗ --------------------------------------------- This advisory includes mitigations for use of insufficiently random values, use of obsolete function, incorrect permission assignment for critical resource, and use of hard-coded credentials vulnerabilities in a NUUOs CMS software management platform. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02-NUUO-CMS ∗∗∗ Delta Industrial Automation TPEditor ∗∗∗ --------------------------------------------- This advisory includes mitigations for out-of-bounds write and stack-based buffer overflow vulnerabilities in the Delta Industrial Automation TPEditor software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-284-03 ∗∗∗ Critical Patch Update - October 2018 - Pre-Release Announcement ∗∗∗ --------------------------------------------- https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerability in glibc (CVE-2018-11236) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10734721 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in OpenSSH ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10734739 ∗∗∗ IBM Security Bulletin: Vulnerabilities in procps affect IBM BladeCenter Advanced Management Module (AMM) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733895 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in procps ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10734741 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by a vulnerability in OpenSLP (CVE-2017-17833) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10734657 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is vulnerable to Path Traversal (CVE-2018-1744) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10733353 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in libjpeg ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10734731 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is vulnerable to a XML External Entity Injection (XXE) attack (CVE-2018-1747) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10733429 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Python affect IBM BladeCenter Advanced Management Module (AMM) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733909 ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in ICU ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10734727 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2018
by Daily end-of-shift report 11 Oct '18

11 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-10-2018 18:00 − Donnerstag 11-10-2018 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 5 Endpoint Threats Impacting Security ∗∗∗ --------------------------------------------- Introduction Endpoint threats pose serious security risks to many organizations. Companies are reporting attacks ranging from ransomware to phishing attacks. These attacks lead to the loss of customer data, resulting in massive damage to the company’s reputation, finances and structure. --------------------------------------------- https://resources.infosecinstitute.com/5-endpoint-threats-impacting-securit… ∗∗∗ ICS Tactical Security Trends: Analysis of the Most Frequent SecurityRisks Observed in the Field ∗∗∗ --------------------------------------------- Introduction FireEye iSIGHT Intelligence compiled extensive data from dozens of ICS security health assessment engagements (ICS Healthcheck) performed by Mandiant, FireEyes consulting team, to identify the most pervasive and highest priority security risks in industrial facilities. The information was acquired from hands-on assessments carried out over the last few years across a broad range of industries [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2018/10/ics-tactical-security-t… ∗∗∗ DNS-Schlüsselwechsel: Wie man DNS-Ausfälle erkennt, was dagegen hilft ∗∗∗ --------------------------------------------- Am 11.10. wechselt die ICANN den DNS-Vertrauensanker. Dabei kann es zu Ausfällen von Internet-Diensten kommen. Wir fassen zusammen, was dagegen hilft. --------------------------------------------- https://heise.de/-4187064 ∗∗∗ Sicherheitsupdates: Junipers Junos OS offen für Fernzugriff ohne Passwort ∗∗∗ --------------------------------------------- In Junos OS klaffen zum Teil kritische Sicherheitslücken. Aktualisierte Versionen des Betriebssystems schließen die Schwachstellen. --------------------------------------------- http://heise.de/-4188397 ∗∗∗ Nicht bei saturn-media.net einkaufen ∗∗∗ --------------------------------------------- Saturn-media.net lockt mit günstigen Technikangeboten und versucht durch den Domain eine Verbindung zu den seriösen Anbietern Media Markt und Saturn herzustellen. Saturn-media.net hat jedoch nichts mit den genannten Anbietern zu tun, es handelt sich um einen Fakeshop. Sie erhalten keine Ware und verlieren ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/nicht-bei-saturn-medianet-einkaufen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper Networks Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: October 10, 2018 Juniper Networks has released security updates to address vulnerabilities affecting multiple Junos OS versions. An attacker could exploit some of these vulnerabilities to take control of an affected system.NCCIC encourages users and administrators to review the Juniper Security Advisories website and apply the necessary updates and workarounds. This product is provided subject to this Notification and this Privacy & Use policy. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/10/10/Juniper-Networks-R… ∗∗∗ NVP field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-066 ∗∗∗ --------------------------------------------- Project: NVP fieldDate: 2018-October-10Security risk: Moderately critical 14∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: NVP field module allows you to create a field type of name/value pairs, with customtitles and easily editable rendering with customizable HTML/text surrounding the pairs.The module doesnt sufficiently handle sanitization of its field formatters output. --------------------------------------------- https://www.drupal.org/sa-contrib-2018-066 ∗∗∗ Search API Solr Search - Moderately critical - Access bypass - SA-CONTRIB-2018-065 ∗∗∗ --------------------------------------------- Project: Search API Solr SearchVersion: 7.x-1.13Date: 2018-October-10Security risk: Moderately critical 10∕25 AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypassDescription: This module provides support for creating searches using the Apache Solr search engine and the Search API Drupal module.The module doesnt sufficiently take the searched fulltext fields into account when creating a search excerpt. --------------------------------------------- https://www.drupal.org/sa-contrib-2018-065 ∗∗∗ Lightbox2 - Critical - Cross Site Scripting - SA-CONTRIB-2018-064 ∗∗∗ --------------------------------------------- Project: Lightbox2Version: 7.x-2.x-devDate: 2018-October-10Security risk: Critical 18∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Cross Site ScriptingDescription: The Lightbox2 module enables you to overlay images on the current page.The module did not sanitize some inputs when used in combination with a custom view leading to potential Cross Site Scripting (XSS).Solution: Install the latest version [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2018-064 ∗∗∗ Teltonika RUT9XX Unauthenticated OS Command Injection ∗∗∗ --------------------------------------------- Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges. --------------------------------------------- https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319… ∗∗∗ Teltonika RUT9XX Reflected Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- Teltonika RUT9XX routers with firmware before 00.05.01.1 are prone to cross-site scripting vulnerabilities in hotspotlogin.cgi due to insufficient user input sanitization. --------------------------------------------- https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180410… ∗∗∗ Teltonika RUT9XX Missing Access Control to UART Root Terminal ∗∗∗ --------------------------------------------- Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges. --------------------------------------------- https://github.com/sbaresearch/advisories/tree/public/2018/SBA-ADV-20180319… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dnsruby, gnulib, and jekyll), Fedora (calamares, fawkes, git, kernel-headers, librime, and pdns), openSUSE (ImageMagick), Oracle (kernel), Scientific Linux (glusterfs, kernel, and nss), Slackware (git), SUSE (ImageMagick), and Ubuntu (tomcat7, tomcat8). --------------------------------------------- https://lwn.net/Articles/768145/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in GNU Binutils affect IBM Netezza Platform Software clients. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728795 ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801q ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731217 ∗∗∗ IBM Security Bulletin: Potential bypass security vulnerability in Expression Language library used by WebSphere Application Server (CVE-2014-7810) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729557 ∗∗∗ IBM Security Bulletin: Potential traversal vulnerability in IBM WebSphere Application Server Admin Console (CVE-2018-1770) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729521 ∗∗∗ IBM Security Bulletin: IBM FileNet Content Manager component FileNet Deployment Manager security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=ibm10732755 ∗∗∗ IBM Security Bulletin: Remote code execution vulnerability (CVE-2018-1260) affects IBM Spectrum Symphony 7.2.0.2 and 7.2.1 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10731859 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerabilities affect Rational Publishing Engine ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10734697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2018
by Daily end-of-shift report 10 Oct '18

10 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-10-2018 18:00 − Mittwoch 10-10-2018 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zero-day exploit (CVE-2018-8453) used in targeted attacks ∗∗∗ --------------------------------------------- Yesterday, Microsoft published their security bulletin, which patches CVE-2018-8453, among others. It is a vulnerability in win32k.sys discovered by Kaspersky Lab in August. Microsoft confirmed the vulnerability and designated it CVE-2018-8453. --------------------------------------------- https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/ ∗∗∗ Patchday: Zero-Day-Fix für Windows, kritische Exchange-Lücke ∗∗∗ --------------------------------------------- Im Oktober behebt Microsoft knapp 50 Sicherheitsprobleme. Darunter kritische Lücken in Windows-Komponenten und im Exchange Mail-Server. --------------------------------------------- http://heise.de/-4186268 ∗∗∗ Kritische Sicherheitslücke gefährdet Milliarden WhatsApp-Nutzer ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in WhatsApp ermöglicht es, ein Smartphone mit einem einzigen Video-Call zu kapern. Potentiell betroffen sind Milliarden WhatsApp-Nutzer. --------------------------------------------- http://heise.de/-4186365 ∗∗∗ Patchday: Adobe stopft kritische Lücke in Digital Editions ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate für Flash, das keins ist, und die Abwesenheit von Reader-Patches sorgen bei Adobe für einen eher untypischen Patchday. --------------------------------------------- http://heise.de/-4186327 ∗∗∗ IIS attacks surge from 2,000 to 1.7 million over last quarter ∗∗∗ --------------------------------------------- IIS, Drupal, and Oracle WebLogic web technologies experienced increased attacks in Q2 2018. According to a new threat report from eSentire, IIS attacks showed a massive increase, from 2,000 to 1.7 million, since last quarter. --------------------------------------------- https://www.helpnetsecurity.com/2018/10/10/iis-attacks-surge/ ∗∗∗ Magecart hacks Shopper Approved to simultaneously hit many e-commerce sites ∗∗∗ --------------------------------------------- The cybercriminal groups under the Magecart umbrella strike again and again, and one of them has apparently specialized in compromising third parties to more easily get in as many online shops as possible. The latest target of Magecart Group 5, as it has been dubbed by RiskIQ researcher Yonathan Klijnsma, is Shopper Approved, an organization that provides rating seals for online stores. --------------------------------------------- https://www.helpnetsecurity.com/2018/10/10/magecart-hacks-shopper-approved/ ∗∗∗ Kleinanzeigenbetrug mit Western Union Überweisungen ∗∗∗ --------------------------------------------- Vorsicht beim Kleinanzeigenverkauf! BetrügerInnen, die sich als KaufinteressentInnen ausgeben, behaupten, ihren Opfern überhöhte Geldbeträge überwiesen zu haben, die nur durch eine Western Union Transaktion an ein Speditionsunternehmen freigeschalten werden können. Führen Sie diese Transaktion nicht durch, denn Ihr Geld wäre verloren und die freizuschaltende Überweisung gibt es nicht! --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-mit-western-unio… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Digital Editions (APSB18-27), Adobe Experience Manager (APSB18-36), Adobe Framemaker (APSB18-37) and Adobe Technical Communications Suite (APSB18-38). Adobe recommends users update their product installations to the latest versions using the instructions referenced [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1633 ∗∗∗ jQuery-File-Upload < = v9.22.0 unauthenticated arbitrary file upload vulnerability ∗∗∗ --------------------------------------------- Topic: jQuery-File-Upload < = v9.22.0 unauthenticated arbitrary file upload vulnerability Risk: Medium Text:Title: jQuery-File-Upload < = v9.22.0 unauthenticated arbitrary file upload vulnerability Author: Larry W. Cashdollar [...] --------------------------------------------- https://cxsecurity.com/issue/WLB-2018100094 ∗∗∗ GE iFix ∗∗∗ --------------------------------------------- This advisory includes mitigations for an unsafe ActiveX control marked safe for scripting vulnerability in a Gigasoft component affecting GE’s iFix HMI products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-282-01 ∗∗∗ Fuji Electric Energy Savings Estimator ∗∗∗ --------------------------------------------- This advisory includes mitigations for an uncontrolled search path element (DLL Hijacking) vulnerability in the Fuji Electric Energy Savings Estimator software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-282-07 ∗∗∗ October 2018 Security Update Release ∗∗∗ --------------------------------------------- Today, we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to turn on automatic updates. More information about this month’s security updates can be found in the Security Update Guide. --------------------------------------------- https://blogs.technet.microsoft.com/msrc/2018/10/09/october-2018-security-u… ∗∗∗ October 2018 Microsoft Patch Tuesday, (Tue, Oct 9th) ∗∗∗ --------------------------------------------- Microsoft released patches for 48 vulnerabilities today and one advisory regarding a defense in depth update for Office. No Adobe updates are included so far, but Adobe has released updates to PDF Reader / Acrobat about a week ago. --------------------------------------------- https://isc.sans.edu/diary/rss/24186 ∗∗∗ VMSA-2018-0025 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, and Fusion workarounds address a denial-of-service vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0025.html ∗∗∗ USN-3787-1: Tomcat vulnerability ∗∗∗ --------------------------------------------- tomcat7, tomcat8 vulnerabilityA security issue affects these releases of Ubuntu and its derivatives:Ubuntu 16.04 LTSUbuntu 14.04 LTSSummaryTomcat could be made to redirect to arbitrary locations.Software Descriptiontomcat8 - Servlet and JSP enginetomcat7 - Servlet and JSP engineDetailsIt was discovered that Tomcat incorrectly handled returning redirects to adirectory. A remote attacker could possibly use this issue with a speciallycrafted URL to redirect to arbitrary URIs. --------------------------------------------- https://usn.ubuntu.com/3787-1/ ∗∗∗ October 2018 Office Update Release ∗∗∗ --------------------------------------------- The October 2018 Public Update releases for Office are now available! This month, there are 23 security updates and 17 non-security updates. All of the security and non-security updates are listed in KB article 4464656. A new version of Office 2013 Click-To-Run is available: 15.0.5075.1001 A new version of Office 2010 Click-To-Run is available: 14.0.7214.5000 --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2018/10/09… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (patch), CentOS (firefox, glusterfs, kernel, and nss), Debian (net-snmp), Oracle (firefox, glusterfs, kernel, and nss), Red Hat (glusterfs, kernel, and nss), Scientific Linux (firefox), SUSE (kernel), and Ubuntu (webkit2gtk). --------------------------------------------- https://lwn.net/Articles/768041/ ∗∗∗ BSRT 2018-004 Information Disclosure Vulnerability in Management Console Impacts UEM ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Security Advisory - Improper Authentication Vulnerability on Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20181010-… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server in IBM Cloud July 2018 CPU ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10734161 ∗∗∗ IBM Security Bulletin: IBM FileNet Content Manager affected by Apache PDFBox security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=ibm10716315 ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10734167 ∗∗∗ IBM Security Bulletin: Server Automation is affected by the following GSKit vulnerabilities (CVE-2018-1447, CVE-2018-1427, CVE-2018-1428) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718773 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2018
by Daily end-of-shift report 09 Oct '18

09 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Montag 08-10-2018 18:00 − Dienstag 09-10-2018 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Millionen Xiongmai-Überwachungskameras durch Cloud-Feature unsicher (XMEye P2P Coud) ∗∗∗ --------------------------------------------- Über 9 Millionen IoT-Geräte des chinesischem OEM-Herstellers "Xiongmai" sind unsicher (selbst jene hinter einer Firewall), weil sie ein unsicheres Cloud-Feature namens "XMEye P2P cloud" standardmäßig aktiv haben. --------------------------------------------- https://www.sec-consult.com/blog/2018/10/millionen-xiongmai-ueberwachungska… ∗∗∗ Sicherheitsupdates: Kritische Lücken in Cisco DNA gefährden ganze Netzwerke ∗∗∗ --------------------------------------------- Cisco stellt Patches für verschiedene Produkte bereit und schließt damit viele Sicherheitslücken. --------------------------------------------- http://heise.de/-4184517 ∗∗∗ Oktober ist Europäischer Monat der Cyber-Sicherheit! ∗∗∗ --------------------------------------------- Auch diesen Oktober nimmt Österreich wieder an der EU-weiten Kampagne European Cyber Security Month (ECSM) teil. Im Fokus steht dabei die Bewusstseinsbildung für Risiken im Netz. --------------------------------------------- https://www.watchlist-internet.at/news/oktober-ist-europaeischer-monat-der-… ===================== = Vulnerabilities = ===================== ∗∗∗ [20181005] - Core - CSRF hardening in com_installer ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 2.5.0 through 3.8.12 Exploit type: CSRF Reported Date: 2018-September-26 Fixed Date: 2018-October-02 CVE Number: CVE-2018-17858 Description Added additional CSRF hardening in com_installer actions in the backend. Affected Installs Joomla! CMS versions 2.5.0 through 3.8.12 Solution Upgrade to version 3.8.13 Contact The JSST at the Joomla! Security Centre. Reported By: Raviraj A. Powar --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/nfI3_UnJIrM/755-20181005-c… ∗∗∗ [20181004] - Core - ACL Violation in com_users for the admin verification ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 1.5.0 through 3.8.12 Exploit type: ACL Violation Reported Date: 2017-December-27 Fixed Date: 2018-October-02 CVE Number: CVE-2018-17855 Description In case that an attacker gets access to the mail account of an user who can approve admin verifications in the registration process he can activate himself. Affected Installs Joomla! CMS versions 1.5.0 through 3.8.12 Solution Upgrade to version 3.8.13 --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/qGhSucxwoZo/754-20181004-c… ∗∗∗ [20181003] - Core - Access level Violation in com_tags ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 3.1.0 through 3.8.12 Exploit type: ACL Violation Reported Date: 2018-June-20 Fixed Date: 2018-October-02 CVE Number: CVE-2018-17857 Description Inadequate checks on the tags search fields can lead to an access level violation. Affected Installs Joomla! CMS versions 3.1.0 through 3.8.12 Solution Upgrade to version 3.8.13 Contact The JSST at the Joomla! Security Centre. --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/nIIfD6jUDgU/753-20181003-c… ∗∗∗ [20181002] - Core - Inadequate default access level for com_joomlaupdate ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: High Severity: Low Versions: 2.5.4 through 3.8.12 Exploit type: Object Injection Reported Date: 2018-June-21 Fixed Date: 2018-October-02 CVE Number: CVE-2018-17856 Description Joomla’s com_joomlaupdate allows the execution of arbitrary code. The default ACL config enabled access of Administrator-level users to access com_joomlaupdate and trigger a code execution. Affected Installs Joomla! CMS versions 2.5.4 through 3.8.12 --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/MptbHWIJjXM/752-20181002-c… ∗∗∗ [20181001] - Core - Hardening com_contact contact form ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 2.5.0 through 3.8.12 Exploit type: Incorrect Access Control Reported Date: 2018-September-17 Fixed Date: 2018-October-02 CVE Number: CVE-2018-17859 Description Inadequate checks in com_contact could allowed mail submission in disabled forms. Affected Installs Joomla! CMS versions 2.5.0 through 3.8.12 Solution Upgrade to version 3.8.13 Contact The JSST at the Joomla! Security Centre. Reported By: David Jardin (JSST) --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/lkwPYx4JflE/751-20181001-c… ∗∗∗ SAP Security Patch Day - October 2018 ∗∗∗ --------------------------------------------- On 9th of October 2018, SAP Security Patch Day saw the release of 11 Security Notes. Additionally, there were 4 updates to previously released security notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=500633095 ∗∗∗ SSA-347726: Denial-of-Service Vulnerability in SIMATIC S7-1500, SIMATIC S7-1500 Software Controller and SIMATIC ET 200SP Open Controller ∗∗∗ --------------------------------------------- Versions of SIMATIC S7-1500, SIMATIC S7-1500 Software Controller and SIMATIC ET 200 SP Open Controller are affected by a denial-of-service vulnerability. An attacker with network access to the PLC can cause a Denial-of-Service condition on the network stack. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-347726.txt ∗∗∗ SSA-254686: Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- Security researchers published information on vulnerabilities known as Foreshadow and L1 Terminal Fault (L1TF). These vulnerabilities affect many modern processors from different vendors to a varying degree. Several Siemens Industrial Products contain processors that are affected by the vulnerabilities. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-254686.txt ∗∗∗ SSA-464260: TLS ROBOT vulnerability in SCALANCE W1750D ∗∗∗ --------------------------------------------- The latest update for SCALANCE W1750D addresses a vulnerability known as _ROBOT Attack_. The vulnerability could allow an attacker to decrypt TLS traffic. Siemens provides a firmware update and recommends users to update to the new version. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-464260.txt ∗∗∗ SSA-493830: Privilege Escalation in ROX II ∗∗∗ --------------------------------------------- The latest update for ROX II fixes two vulnerabilities. One vulnerability could allow an attacker with a low-privileged user account to execute arbitrary commands. The other vulnerability could allow an attacker with a low-privileged user account to escalate his privileges. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-493830.txt ∗∗∗ SSA-507847: Cross-Site Request Forgery Vulnerability in SIMATIC S7-1200 CPU Family ∗∗∗ --------------------------------------------- The latest firmware update for S7-1200 CPU family version 4 fixes a Cross-Site Request Forgery vulnerability. Siemens recommends to update affected devices as soon as possible. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-507847.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (git), Debian (kernel, samba, and tinc), Fedora (kernel-headers), Oracle (firefox), Red Hat (firefox and qemu-kvm-rhev), Scientific Linux (firefox), SUSE (java-1_8_0-ibm, kubernetes-salt, velum, libxml2, and postgresql10), and Ubuntu (libxkbcommon). --------------------------------------------- https://lwn.net/Articles/767948/ ∗∗∗ iCloud for Windows 7.7 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT209141 ∗∗∗ iOS 12.0.1 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT209162 ∗∗∗ Zimbra Collaboration Suite: Eine Schwachstelle ermöglicht das Darstellen falscher Informationen ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-2038/ ∗∗∗ IBM Security Bulletin: IBM Netcool/OMNIbus Probe DSL Factory Framework is affected by Apache Camel’s Core vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731893 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in WebSphere application server affect IBM Workload Scheduler ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10734305 ∗∗∗ Remote Code Execution via XMeye P2P Cloud in Xiongmai IP Cameras, NVRs and DVRs ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/vulnerabilities-xiongmai-ip-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2018
by Daily end-of-shift report 08 Oct '18

08 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-10-2018 18:00 − Montag 08-10-2018 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Git Project Patches Remote Code Execution Vulnerability in Git ∗∗∗ --------------------------------------------- The Git Project announced yesterday a critical arbitrary code execution vulnerability in the Git command line client, Git Desktop, and Atom that could allow malicious repositories to remotely execute commands on a vulnerable machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/git-project-patches-remote-c… ∗∗∗ Sony Smart TV Bug Allows Remote Access, Root Privileges ∗∗∗ --------------------------------------------- Software patching becomes a new reality for smart TV owners. --------------------------------------------- https://threatpost.com/sony-smart-tv-bug-allows-remote-access-root-privileg… ∗∗∗ ENISA publishes annual report on trust services security incidents 2017 ∗∗∗ --------------------------------------------- ENISA publishes the first full-year annual report on security incidents with electronic trust services, covering 2017. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-annual-report-o… ∗∗∗ Sicherheitsupdate: D-Link Central WiFi Manager anfällig für Schadcode ∗∗∗ --------------------------------------------- In der Windows-Version von D-Link Central WiFi Manager klaffen mehrere Sicherheitslücken. Mindestens eine davon gilt als kritisch. Ein Patch schafft Abhilfe. --------------------------------------------- http://heise.de/-4183206 ∗∗∗ macOS: Code-Signing teilweise aushebelbar ∗∗∗ --------------------------------------------- Gatekeeper soll dafür sorgen, dass bekannte Malware auf dem Mac nicht startet. Überprüft wird aber oft nur ein Mal, warnt ein Sicherheitsforscher. --------------------------------------------- http://heise.de/-4182870 ===================== = Vulnerabilities = ===================== ∗∗∗ VU#176301: Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App ∗∗∗ --------------------------------------------- Vulnerability Note VU#176301 Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App Original Release date: 06 Oct 2018 | Last revised: 08 Oct 2018 Overview Auto-Maskin RP remote panels and DCU controls units are used to monitor and control ship engines. The units have several authentication and encryption vulnerabilities which can allow attackers to access the units and control connected engines. Description CWE 798: Use of Hard-Coded Credentials - CVE–2018-5399 [...] --------------------------------------------- http://www.kb.cert.org/vuls/id/176301 ∗∗∗ FLIR Systems FLIR Thermal Traffic Cameras Websocket Device Manipulation ∗∗∗ --------------------------------------------- FLIR thermal traffic cameras suffer from an unauthenticated device manipulation vulnerability utilizing the websocket protocol. The affected FLIR Intelligent Transportation Systems - ITS models use an insecure implementation of websocket communication used for administering the device. Authentication and authorization bypass via referencing a direct object allows an attacker to directly modify running configurations, disclose information or initiate a denial of service (DoS) scenario with [...] --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5490.php ∗∗∗ FLIR Systems FLIR Thermal Traffic Cameras RTSP Stream Disclosure ∗∗∗ --------------------------------------------- FLIR thermal traffic cameras suffer from an unauthenticated and unauthorized live RTSP video stream access. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5489.php ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (adplug, git, php-horde, php-horde-core, and php-horde-kronolith), Fedora (firefox, liblouis, libmad, mediawiki, opensc, php-horde-horde, php-horde-Horde-Core, php-horde-kronolith, and rust), Gentoo (imagemagick, openssh, and sox), openSUSE (ghostscript, gitolite, java-1_8_0-openjdk, kernel, php5, php7, python, thunderbird, tomcat, and unzip), Red Hat (firefox and rh-haproxy18-haproxy), and SUSE (ImageMagick, java-1_8_0-openjdk, kernel, qpdf, [...] --------------------------------------------- https://lwn.net/Articles/767873/ ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager Misses Authentication for Critical Function (CVE-2018-1745) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10733355 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is vulnerable to Improper Authentication (CVE-2018-1738) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733309 ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Impact is affected by an Information disclosure of stack trace vulnerability (CVE-2018-1553) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10733541 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10733543 ∗∗∗ IBM Security Bulletin: Vulnerabilities in NTP, OpenSSL and Intel CPU’s affect IBM Netezza Firmware Diagnostics. ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22016330 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2018
by Daily end-of-shift report 05 Oct '18

05 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-10-2018 18:00 − Freitag 05-10-2018 18:00 Handler: Dimitri Robl Co-Handler: Stefan Lenzhofer ===================== = News = ===================== ∗∗∗ Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware ∗∗∗ --------------------------------------------- The Fallout Exploit has been distributing the GandCrab Ransomware for the past few weeks, but has now switched its payload to the Kraken Cryptor Ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-inst… ∗∗∗ 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools ∗∗∗ --------------------------------------------- Posted by Ivan Fratric, Google Project ZeroAround a year ago, we published the results of research about the resilience of modern browsers against DOM fuzzing, a well-known technique for finding browser bugs. Together with the bug statistics we also published Domato, our DOM fuzzing tool that was used to find those bugs.Given that in the previous research, Apple Safari, or more specifically, WebKit (its DOM engine) did noticeably worse than other browsers, we decided to revisit it after a year [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2018/10/365-days-later-finding-and-e… ∗∗∗ ThreatList: 83% of Routers Contain Vulnerable Code ∗∗∗ --------------------------------------------- Five out of six name brand routers, such as Linksys, NETGEAR and D-Link, contain known open-source vulnerabilities. --------------------------------------------- https://threatpost.com/threatlist-83-of-routers-contain-vulnerable-code/137… ∗∗∗ Domain Name System: Vorsichtsmaßnahmen für den DNS-Schlüsseltausch ∗∗∗ --------------------------------------------- Der kryptografische Hauptschlüssel des DNS wird in einer Woche gewechselt. Für unvorbereitete Provider kann das fatale Folgen haben. --------------------------------------------- http://heise.de/-4179793 ===================== = Vulnerabilities = ===================== ∗∗∗ Carestream Vue RIS ∗∗∗ --------------------------------------------- This advisory includes mitigations for an information exposure through an error message vulnerability in the Carestream Vue RIS, a web-based radiology information system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-277-01 ∗∗∗ Change Healthcare PeerVue Web Server ∗∗∗ --------------------------------------------- This advisory includes mitigations for an information exposure through an error message vulnerability in the Change Healthcare PeerVue Web Server. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-277-02 ∗∗∗ WECON PI Studio ∗∗∗ --------------------------------------------- This advisory includes information on stack-based buffer overflow, out-of-bounds write, and out-of-bounds read vulnerabilities in WECON’s PI Studio HMI project programmer. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-277-01 ∗∗∗ Security Advisory 2018-06: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- October 05, 2018 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability. Please send information regarding vulnerabilities in OTRS to: security(a)otrs.org PGP Key pub 2048R/9C227C6B 2011-03-21 [expires at: 2020-11-16] uid OTRS Security Team GPG Fingerprint E330 4608 DA6E 34B7 1551 C244 7F9E 44E9 9C22The post Security Advisory 2018-06: Security Update for OTRS Framework appeared first on | community.otrs.com. --------------------------------------------- https://community.otrs.com/security-advisory-2018-06-security-update-for-ot… ∗∗∗ VMSA-2018-0024.1 ∗∗∗ --------------------------------------------- VMware Workspace ONE Unified Endpoint Management Console (AirWatch Console) update resolves SAML authentication bypass vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0024.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (lcms2, php-tcpdf, and udisks2), openSUSE (ImageMagick, libX11, openssl-1_0_0, openssl-1_1, and otrs), SUSE (kernel, php5, php53, php7, and python), and Ubuntu (apparmor and imagemagick). --------------------------------------------- https://lwn.net/Articles/767689/ ∗∗∗ IBM Security Bulletin: A vulnerability in yum-utils affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728307 ∗∗∗ IBM Security Bulletin: Vulnerabilities in docker affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10725649 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=ibm10733857 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10733905 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager generates Application Error (CVE-2018-1753) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733359 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is vulnerable to Incorrect Permission Assignment for Critical Resource (CVE-2018-1750) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733311 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is vulnerable to Hazardous Input Validation ( CVE-2018-1749) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733303 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is vulnerable to Information Exposure (CVE-2018-1743) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733351 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager Uses Hard-coded Credentials (CVE-2018-1742) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733419 ∗∗∗ IBM Security Bulletin: IBM Security Key Lifecycle Manager is vulnerable to Improper Control of Interaction Frequency (CVE-2018-1741) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733425 ∗∗∗ Security vulnerabilities fixed in Thunderbird 60.2.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2018
by Daily end-of-shift report 04 Oct '18

04 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-10-2018 18:00 − Donnerstag 04-10-2018 18:00 Handler: Stephan Richter Co-Handler: Dimitri Robl ===================== = News = ===================== ∗∗∗ Phishing Attacks Distributed Through CloudFlares IPFS Gateway ∗∗∗ --------------------------------------------- Yesterday we reported on a phishing attack that utilizes Azure Blob storage in order to have login forms secured by a Microsoft issued SSL certificate. After reviewing the URLs used by the same attacker, BleepingComputer has discovered that these same bad actors are utilizing the Cloudflare IPFS gateway for the same purpose. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-attacks-distributed… ∗∗∗ Nicht bei conquerconsoles.com, konsolenkammer24.de oder konsolenstation24.com kaufen ∗∗∗ --------------------------------------------- Die Fakeshops conquerconsoles.com, konsolenkammer24.de und konsolenstation24.com vertreiben Spielkonsolen und Spiele zu unschlagbaren Preisen. Die Fakeshops locken mit Angeboten, wo Sie eine PlayStation 4 samt Spiel und Controller kostengünstig erwerben können. Sie können nur im Voraus per Banküberweisung bezahlen, erhalten aber keine Ware! --------------------------------------------- https://www.watchlist-internet.at/news/nicht-bei-conquerconsolescom-konsole… ===================== = Vulnerabilities = ===================== ∗∗∗ Printer, email and PDF versions - Highly critical - Remote Code Execution - SA-CONTRIB-2018-063 ∗∗∗ --------------------------------------------- Project: Printer, email and PDF versionsVersion: 7.x-2.x-devDate: 2018-October-03Security risk: Highly critical 20∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:UncommonVulnerability: Remote Code ExecutionDescription: This module provides printer-friendly versions of content, including send by e-mail and PDF versions.The module doesnt sufficiently sanitize the arguments passed to the wkhtmltopdf executable, allowing a remote attacker to execute arbitrary shell commands. --------------------------------------------- https://www.drupal.org/sa-contrib-2018-063 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox and python-django), Debian (dnsmasq, firefox-esr, imagemagick, and linux-4.9), Fedora (haproxy), openSUSE (bitcoin, firefox, and texlive), SUSE (openslp), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/767611/ ∗∗∗ Cisco Digital Network Architecture Center Unauthenticated Access Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and have direct unauthorized access to critical management functions.The vulnerability is due to an insecure default configuration of the affected system. An attacker could exploit this vulnerability by directly connecting to the exposed services. An exploit could allow the attacker to retrieve and modify critical system files. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Digital Network Architecture Center Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the identity management service of Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and take complete control of identity management functions.The vulnerability is due to insufficient security restrictions for critical management functions. An attacker could exploit this vulnerability by sending a valid identity management request to the affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ More Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/publicationListing.x ∗∗∗ Red Hat JBoss Web Server: Eine Schwachstelle ermöglicht das Erlangen von Benutzerrechten ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1992/ ∗∗∗ Apache Tomcat: Eine Schwachstelle ermöglicht das Darstellen falscher Informationen ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-2000/ ∗∗∗ ClamAV: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-2008/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2018
by Daily end-of-shift report 03 Oct '18

03 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-10-2018 18:00 − Mittwoch 03-10-2018 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Phishing Attack Uses Azure Blob Storage to Impersonate Microsoft ∗∗∗ --------------------------------------------- A new Office 365 phishing attack utilizes an interesting method of storing their phishing form hosted on Azure Blob Storage in order to be secured by a Microsoft SSL certificate. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-attack-uses-azure-b… ∗∗∗ ct deckt auf: Enigmail verschickt Krypto-Mails im Klartext ∗∗∗ --------------------------------------------- In der verbreiteten Thunderbird-Erweiterung Enigmail steckt ein fataler Fehler. Das Problem betrifft den Junior-Modus, der seit April standardmäßig aktiv ist. --------------------------------------------- https://heise.de/-4180405 ∗∗∗ Popular TP-Link wireless home router open to remote hijacking ∗∗∗ --------------------------------------------- By concatenating a known improper authentication flaw with a newly discovered CSRF vulnerability, remote unauthenticated attackers can obtain full control over TP-Link TL-WR841N, a popular wireless consumer router used worldwide. "This type of remote attack can also compromise routers behind a network address translator (NAT) and those not exposed to the public wide area network (WAN) as the vulnerability is remotely reflected off a locally connected host, rather than coming directly over [...] --------------------------------------------- https://www.helpnetsecurity.com/2018/10/03/tp-link-wireless-home-router-hij… ===================== = Vulnerabilities = ===================== ∗∗∗ Delta Electronics ISPSoft ∗∗∗ --------------------------------------------- This advisory includes mitigations for a stack-based buffer overflow vulnerability in the Delta Electronics ISPSoft software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-275-01 ∗∗∗ GE Communicator ∗∗∗ --------------------------------------------- This advisory includes mitigations for a heap-based buffer overflow vulnerability in GEs Communicator, an application for programming and monitoring supported metering devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-275-02 ∗∗∗ Entes EMG 12 ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper authentication and information exposure through query strings in GET request vulnerabilities in the Entes EMG 12 Ethernet Modbus Gateway. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-275-03 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (elfutils), Gentoo (firefox), Red Hat (instack-undercloud, openstack-tripleo-heat-templates and openstack-nova), Slackware (mozilla), SUSE (ghostscript, ImageMagick, kernel, mgetty, qemu, and unzip), and Ubuntu (firefox, haproxy, kernel, liblouis, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/767539/ ∗∗∗ ZDI-18-1107: (0Day) Wecon PIStudio screendata HSC Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1107/ ∗∗∗ ZDI-18-1106: (0Day) Wecon PIStudio xmlparser LoadXMLFile XML External Entity Processing Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1106/ ∗∗∗ ZDI-18-1109: (0Day) Wecon PIStudio basedll TextContent Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1109/ ∗∗∗ ZDI-18-1108: (0Day) Wecon PIStudio cximageu Image Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1108/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ HPESBGN03900 rev.1 - HPE enhanced Internet Usage Manager (eIUM) Remote Unauthorized Disclosure of Information vulnerability and Remote Bypass Security Restrictions ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Security vulnerabilities fixed in Firefox 62.0.3 and Firefox ESR 60.2.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2018
by Daily end-of-shift report 02 Oct '18

02 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Montag 01-10-2018 18:00 − Dienstag 02-10-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Security Update for Foxit PDF Reader Fixes 118 Vulnerabilities ∗∗∗ --------------------------------------------- It has not been a good week for PDF programs. We had an Adobe Acrobat & Reader update released yesterday that fixed 86 vulnerabilities, including numerous critical ones. Not to be beaten, an update for Foxit PDF Reader and Foxit PhantomPDF was released last Friday that fixes a whopping 116 vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/security-update-for-foxit-pd… ∗∗∗ Nine NAS Bugs Open LenovoEMC, Iomega Devices to Attack ∗∗∗ --------------------------------------------- Rated as high-risk vulnerabilities, these privilege-escalation flaws could allow an unauthenticated attacker to access protected content. --------------------------------------------- https://threatpost.com/nine-nas-bugs-open-lenovoemc-iomega-devices-to-attac… ∗∗∗ Keine Rechnung von ibostream.de und sobastream.de zahlen ∗∗∗ --------------------------------------------- Die Abo-Fallen ibostream.de und sobastream.de sehen für ihre Nutzung eine kostenlose Registrierung vor. Fünf Tagen nach der Registrierung erhalten Konsument/innen von der Ibo Das Limited oder der Stream It Limited eine Rechnung von 359,88- Euro. Nutzer/innen müssen die Summe nicht bezahlen, denn zwischen ihnen und ibostream.de oder sobastream.de gibt es keinen Vertrag. --------------------------------------------- https://www.watchlist-internet.at/news/keine-rechnung-von-ibostreamde-und-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücken in Adobe Acrobat und Reader - Patches verfügbar ∗∗∗ --------------------------------------------- Adobe hat ausserhalb des monatlichen Patch-Zyklus Updates für Acrobat und Reader veröffentlicht, mit denen teils kritische Sicherheitslücken geschlossen werden. --------------------------------------------- https://www.cert.at/warnings/all/20181002.html ∗∗∗ Android Security Bulletin - October 2018 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. [...] The most severe of these issues is a critical security vulnerability in Framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2018-10-01.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (lib32-libxml2, libxml2, mosquitto, and ntp), Debian (kernel and strongswan), Fedora (firefox), openSUSE (zsh), Oracle (kernel), Red Hat (ceph-iscsi-cli), SUSE (openssl-1_0_0), and Ubuntu (kernel, linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-gcp, linux-lts-trusty, linux-lts-xenial, linux-aws, and strongswan). --------------------------------------------- https://lwn.net/Articles/767467/ ∗∗∗ Vuln: LibTIFF CVE-2018-17795 Heap Based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/105445 ∗∗∗ Red Hat JBoss A-MQ, Red Hat JBoss Fuse: Eine Schwachstelle ermöglicht das Erlangen von Benutzerrechten ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1989/ ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities in GSKit used by Edge Caching proxy of WebSphere Application Server ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732391 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in OAuth ear in WebSphere Application Server (CVE-2018-1794) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729571 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in SAML ear in WebSphere Application Server (CVE-2018-1793) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729563 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private (CVE-2018-0739,CVE-2017-17512, CVE-2018-1000122) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719199 ∗∗∗ IBM Security Bulletin: IBM b-type Network/Storage switches are affected by Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN (openssl ,redhat,openVPN) vulnerabilities. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1010724 ∗∗∗ Password disclosure vulnerability & XSS in PTC ThingWorx ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/password-disclosure-vulnerab… ∗∗∗ HPESBHF03897 rev.1 - HPE Switches and Routers using OpenSSL, and Intelligent Management Center (iMC) PLAT, Remote Denial of Service ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2018
by Daily end-of-shift report 01 Oct '18

01 Oct '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-09-2018 18:00 − Montag 01-10-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IC3 Issues Alert Regarding Remote Desktop Protocol (RDP) Attacks ∗∗∗ --------------------------------------------- The Internet Crime Complaint Center (IC3), in collaboration with the Department of Homeland Security and the FBI, have issued a security alert regarding attacks being conducted through the Windows Remote Desktop Protocol. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ic3-issues-alert-regarding-r… ∗∗∗ FBI löst Rätsel um 15 Jahre alte Malware ∗∗∗ --------------------------------------------- Jahrelang spionierte die Fruitfly-Malware unbemerkt Mac-User aus. Nun wurde bekannt, wie die Schadsoftware verbreitet wurde. --------------------------------------------- https://futurezone.at/digital-life/fbi-loest-raetsel-um-15-jahre-alte-malwa… ∗∗∗ Dark Web Azorult Generator Offers Free Binaries to Cybercrooks ∗∗∗ --------------------------------------------- The Gazorp online builder makes it easy to start stealing passwords, credit-card information, cryptocurrency wallet data and more. --------------------------------------------- https://threatpost.com/dark-web-azorult-generator-offers-free-binaries-to-c… ∗∗∗ 70+ different types of home routers(all together 100,000+) are being hijacked by GhostDNS ∗∗∗ --------------------------------------------- note:We have informed various ISPs on the IoC list, and OVH, ORACLE, Google have taken down the related IPs and some others are working on it (Thanks!)Background introductionDNSchanger is not something new and was quite active years ago [1], we occasionally encountered one every once in a [...] --------------------------------------------- http://blog.netlab.360.com/70-different-types-of-home-routers-all-together-… ∗∗∗ Oktober ist Cyber Security-Monat! ∗∗∗ --------------------------------------------- Unter dem Titel "Cyber Security is a Shared Responsibility" findet im Oktober die inzwischen 7. Kampagne der EU zur Verbesserung der allgemeinen Informationssicherheit statt: Der Europäische Cybersicherheitsmonat (ECSM) ist ein breit koordiniertes und umfangreich aufgestelltes Veranstaltungsformat, das Bewusstsein fördern und Kenntnisse vermitteln will. So werden Schritte aufzeigt, die alle Bürger*innen und Organisationen zum Schutz von persönlichen, finanziellen [...] --------------------------------------------- https://www.ikarussecurity.com/at/ueber-ikarus/security-blog/oktober-ist-cy… ∗∗∗ Facebook-Hack: Kombination aus mehreren Software-Lücken war schuld ∗∗∗ --------------------------------------------- Drei Lücken exponierten Millionen Facebook-Konten, darunter das von Mark Zuckerberg. Womöglich waren auch Drittanbieter-Dienste per Facebook-Login betroffen. --------------------------------------------- https://heise.de/-4178569 ∗∗∗ Explosion of look-alike domains aims to steal sensitive data from online shoppers ∗∗∗ --------------------------------------------- Venafi released research on the explosion of look-alike domains, which are routinely used to steal sensitive data from online shoppers. Venafi's research analyzed suspicious domains targeting the top 20 retailers in five key markets: the U.S., U.K., France, Germany and Australia. --------------------------------------------- https://www.helpnetsecurity.com/2018/10/01/look-alike-domains/ ∗∗∗ Erpressung mit intimen Videomaterial ∗∗∗ --------------------------------------------- Kriminelle versenden eine E-Mail, in der es heißt, dass sie das Empfänger/innen-Konto übernommen haben und sein Passwort kennen. Opfer sollen 600 US-Dollar in Bitcoins zahlen, damit die Verbrecher/innen kein intimes Videomaterial veröffentlichen. Konsument/innen können die Nachricht ignorieren und müssen nur ihr Passwort ändern. Eine Zahlung ist nicht erforderlich. --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-mit-intimen-videomaterial/ ===================== = Vulnerabilities = ===================== ∗∗∗ Skype On Debian Microsoft Apt Repo Addition ∗∗∗ --------------------------------------------- Topic: Skype On Debian Microsoft Apt Repo Addition Risk: High Text:Level: Critical Description: The Skype debian packege for Skype (even when not installed via their offical repo) [...] --------------------------------------------- https://cxsecurity.com/issue/WLB-2018090274 ∗∗∗ UPDATED: Security Bulletins Posted ∗∗∗ --------------------------------------------- [...] UPDATE: As of September 28, Adobe is aware of a report that CVE-2018-15961 is being actively exploited in the wild. The updates for ColdFusion 2018 and ColdFusion 2016 announced in APSB18-33 have been elevated to Priority 1, and Adobe recommends customers update to the latest version as soon as possible. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1607 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (mediawiki), CentOS (389-ds-base, firefox, flatpak, kernel, mod_perl, nss, spice and spice-gtk, and spice-gtk and spice-server), Debian (389-ds-base, ghostscript, mosquitto, and python3.5), Fedora (ca-certificates, firefox, glusterfs, kernel-headers, kernel-tools, libxkbcommon, udisks2, and zchunk), Mageia (firefox), openSUSE (gd, gnutls, mgetty, openssl, and yast2-smt), Oracle (firefox and kernel), Scientific Linux (firefox), SUSE (libX11 and [...] --------------------------------------------- https://lwn.net/Articles/767373/ ∗∗∗ Security Advisory - FRP Bypass Vulnerability in MyCloud APP of Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180930-… ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732783 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM i ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731329 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732785 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10732477 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10733457 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10730313 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Improper Certificate Validation vulnerability ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10730321 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Using Components with Known Vulnerabilities vulnerabilities ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10730329 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Missing Security Control vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10730323 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Password in Clear Text vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10730317 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2018
by Daily end-of-shift report 28 Sep '18

28 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-09-2018 18:00 − Freitag 28-09-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Iot Botnet Torii Uses Six Methods for Persistence, Has No Clear Purpose ∗∗∗ --------------------------------------------- Security researchers discovered a new IoT botnet that is in a league superior to the Mirai variants .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-si… ∗∗∗ Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV ∗∗∗ --------------------------------------------- Removing the need for files is the next progression of attacker techniques. While fileless techniques used to be employed almost exclusively in sophisticated cyberattacks, they are now becoming widespread in common malware, .. --------------------------------------------- https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-bu… ∗∗∗ Credential Leak Flaws in Windows PureVPN Client ∗∗∗ --------------------------------------------- Using a VPN (Virtual Private Network) can bring many advantages, particularly when you want to .. --------------------------------------------- https://trustwave.com/Resources/SpiderLabs-Blog/Credential-Leak-Flaws-in-Wi… ∗∗∗ DNSSEC Key Signing Key Rollover ∗∗∗ --------------------------------------------- Original release date: September 27, 2018 On October 11, 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) will be changing the Root Zone Key Signing Key (KSK) used in the Domain Name System (DNS) Security .. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/09/27/DNSSEC-Key-Signing… ∗∗∗ [SANS ISC] More Excel DDE Code Injection ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “More Excel DDE Code Injection“: The “DDE code injection” technique is not brand new. DDE stands for “Dynamic Data Exchange”. It has already been discussed by many security researchers. Just a quick .. --------------------------------------------- https://blog.rootshell.be/2018/09/28/sans-isc-more-excel-dde-code-injection/ ∗∗∗ Stellungnahme des BSI zur Schadsoftware "LoJax" ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/LoJax-Schad… ===================== = Vulnerabilities = ===================== ∗∗∗ Emerson AMS Device Manager ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper access control and improper privilege management vulnerabilities in the Emerson AMS Device Manager software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-270-01 ∗∗∗ Fuji Electric Alpha5 Smart Loader ∗∗∗ --------------------------------------------- This advisory includes information on classic buffer overflow and heap-based buffer overflow vulnerabilities in Fuji Electrics Alpha5 Smart Loader servo drive. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-270-02 ∗∗∗ Fuji Electric FRENIC Devices ∗∗∗ --------------------------------------------- This advisory includes information on buffer over-read, out-of-bounds read, and stack-based buffer overflow vulnerabilities in Fuji Electrics FRENIC HVAC drive devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-270-03 ∗∗∗ OpenSSH vulnerability CVE-2018-15473 ∗∗∗ --------------------------------------------- OpenSSH vulnerability CVE-2018-15473. Security Advisory. Security Advisory Description. OpenSSH through 7.7 is prone ... --------------------------------------------- https://support.f5.com/csp/article/K28942395 ∗∗∗ ZDI-18-1093: Delta Industrial Automation PMSoft rtl60 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1093/ ∗∗∗ Foxit Reader, Foxit PhantomPDF: Mehrere Schwachstellen ermöglichen u. a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1972/ ∗∗∗ IBM Security Bulletin: PowerKVM has released fixes in response to the vulnerabilities known as Foreshadow ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10733108 ∗∗∗ IBM Security Bulletin: Security Misconfiguration during Combined Cumulative Fix Installation Affects IBM WebSphere Portal (CVE-2018-1420) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014276 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2018
by Daily end-of-shift report 27 Sep '18

27 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-09-2018 18:00 − Donnerstag 27-09-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB18-30) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB18-30) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Tuesday, October 02, 2018. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1621 ∗∗∗ Password Managers Can Be Tricked Into Believing That Malicious Android Apps Are Legitimate ∗∗∗ --------------------------------------------- A new academic study published today reveals that Android-based password managers have a hard time distinguishing between legitimate and fake applications, leading to easy phishing scenarios. From a report: The study looked at how password managers work on modern versions of the Android OS, and which of the OS features attackers can abuse to collect user credentials via phishing attacks carried out via fake, lookalike apps. --------------------------------------------- https://it.slashdot.org/story/18/09/26/1534203/password-managers-can-be-tri… ∗∗∗ LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group ∗∗∗ --------------------------------------------- Some UEFI rootkits have been presented as proofs of concept; some are known to be at the disposal of (at least some) governmental agencies. However, no UEFI rootkit has ever been detected in the wild – until we discovered a campaign by the Sednit APT group that successfully deployed a malicious UEFI module on a victim’s system. --------------------------------------------- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wi… ∗∗∗ Geldmacherei mit e-Visum für Ägypten ∗∗∗ --------------------------------------------- Konsument/innen, die nach Ägypten einreisen möchten, müssen ein e-Visum beantragen. Auf der offiziellen Regierungswebsite visa2egypt.gov.eg kostet es für eine einmalige Einreise als Tourist/in 25 US-Dollar. Das ist der günstigste Preis für das e-Visum. Andere Anbieter/innen verlangen dafür wesentlich höhere Kosten. Aus diesem Grund ist bei der Beantragung Vorsicht geboten. --------------------------------------------- https://www.watchlist-internet.at/news/geldmacherei-mit-e-visum-fuer-aegypt… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, otrs2, and strongswan), Fedora (kernel-headers, moodle, ntp, visualboyadvance-m, and yaml-cpp), Mageia (rsyslog), openSUSE (ant, libzypp, zypper, shadow, and tiff), Oracle (389-ds-base, flatpak, kernel, nss, and openssl), Red Hat (rh-perl524-mod_perl and rh-perl526-mod_perl), Scientific Linux (389-ds-base, flatpak, kernel, and nss), SUSE (firefox, gd, glibc, kernel, mgetty, php7, and wireshark), and Ubuntu (udisks2). --------------------------------------------- https://lwn.net/Articles/766959/ ∗∗∗ WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0007 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. ... We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2018-0007.html ∗∗∗ Cisco Catalyst 6800 Series Switches ROM Monitor Software Secure Boot Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Web UI Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software HTTP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software VLAN Trunking Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software TACACS+ Client Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software SM-1T3/E3 Service Module Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software NAT Session Initiation Protocol Application Layer Gateway Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Shell Access Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS Software Precision Time Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Privileged EXEC Mode Root Shell Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Plug and Play Agent Memory Leak Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software OSPFv3 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software MACsec MKA Using EAP-TLS Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers Arbitrary Memory Write Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software IPv6 Hop-by-Hop Options Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software and Cisco ASA 5500-X Series Adaptive Security Appliance IPsec Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Errdisable Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Digital Signature Verification Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Cluster Management Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XE Software Cisco Discovery Protocol Memory Leak Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Cisco Discovery Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: A vulnerability in PostgreSQL affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10730491 ∗∗∗ IBM Security Bulletin: A vulnerability in gnupg2 affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10720353 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732455 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732457 ∗∗∗ IBM Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10716879 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private and IBM Cloud Private Cloud Foundry (CVE-2018-7167, CVE-2018-7164, CVE-2018-7162, CVE-2018-1000168, CVE-2018-7161) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718901 ∗∗∗ IBM Security Bulletin: Arbitrary URL Redirection (CVE-2018-1704) affects IBM Platform Symphony, IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10719671 ∗∗∗ IBM Security Bulletin: XML Entity Expansion vulnerability (CVE-2018-1702) affects IBM Platform Symphony, IBM Spectrum Symphony ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10719659 ∗∗∗ IBM Security Bulletin: A vulnerability in policycoreutils affects PowerKVM ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728473 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i and Rational Developer for AIX and Linux Security Bulletin ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10730623 ∗∗∗ HPESBST03884 rev.1 - HPE ConvergedSystem 700 Solutions Using HPE 3PAR Service Processor, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en&docId=emr_na-h… ∗∗∗ HPESBHF03890 rev.1 - HPE Service Governance Framework (SGF) - Remote Unauthorized Disclosure of Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03901 rev.1 - HPE intelligence Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03902 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03884 rev.2 - HPE ConvergedSystem 700 Solutions Using HPE 3PAR Service Processor, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2018
by Daily end-of-shift report 26 Sep '18

26 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-09-2018 18:00 − Mittwoch 26-09-2018 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Der nächste Meilenstein: [CERT.at #1000000] ∗∗∗ --------------------------------------------- Für unsere Kommunikation per E-Mail verwenden wir (wie viele Firmen) ein Ticketsystem, damit a) die Kommunikation für alle Teammitglieder nachvollziehbar ist, dass b) möglichst keine Anfragen unbeantwortet bleiben und c) der Workflow mit Meldung/Vorfall/Nachforschung abgebildet werden kann. --------------------------------------------- http://www.cert.at/services/blog/20180926100651-2293.html ∗∗∗ Nach Safari und Chrome: Firefox ins Jenseits befördern ∗∗∗ --------------------------------------------- Mit einem präparierten Link kann Mozillas Firefox zum Absturz gebracht werden. Ähnliches hat ein Sicherheitsforscher zuvor mit Apples Safari und Googles Chrome gezeigt. Auf einer Webseite sammelt er die Lücken - mitsamt Absturz-Button. --------------------------------------------- https://www.golem.de/news/nach-safari-und-chrome-firefox-ins-jenseits-befoe… ∗∗∗ New CVE-2018-8373 Exploit Spotted ∗∗∗ --------------------------------------------- On September 18, 2018, more than a month after we published a blog revealing the details of a use-after-free (UAF) vulnerability CVE-2018-8373 that affects the VBScript engine in newer Windows versions, we spotted another exploit that uses the same vulnerability. Its important to note that this exploit doesnt work on systems with updated Internet Explorer versions. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-83… ∗∗∗ Full compliance with the PCI DSS drops for the first time in six years ∗∗∗ --------------------------------------------- After documenting improvements in Payment Card Industry Data Security Standard (PCI DSS) compliance over the past six years (2010 – 2016), Verizon’s 2018 Payment Security Report (PSR) now reveals a concerning downward trend with companies failing compliance assessments and perhaps, more importantly, not maintaining – full compliance. --------------------------------------------- https://www.helpnetsecurity.com/2018/09/26/pci-dss-compliance-drop/ ∗∗∗ Gefälschte kabelplus-Phishingmail im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte kabelplus-Nachricht. Darin behaupten sie, dass „ihr Kabelplus Webmail (kabsi.at) Nachrichtenspeicher das Limit-Kontingent in unserer Datenbank erreicht“ hat. Aus diesem Grund sollen Kund/innen eine externe Website aufrufen und persönliche Daten bekannt geben. Diese übermitteln sie nicht an kabelplus, sondern an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-kabelplus-phishingmail-i… ===================== = Vulnerabilities = ===================== ∗∗∗ Magecart Attacks Grow Rampant in September ∗∗∗ --------------------------------------------- Attacks that compromise websites with scripts that steal payment card data from checkout pages have increased to hundreds of thousands of attempts in little over a month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magecart-attacks-grow-rampan… ∗∗∗ VU#581311: TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks ∗∗∗ --------------------------------------------- TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks The TP-LINK EAP Controller is TP-LINKs software for remotely controlling wireless access point devices. EAP Controller for Linux lacks user authentication for RMI service commands, as well as utilizes an outdated vulnerable version of Apache commons-collections, which may allow an attacker to implement deserialization attacks and control the EAP Controller server. --------------------------------------------- http://www.kb.cert.org/vuls/id/581311 ∗∗∗ One Emotet infection leads to three follow-up malware infections, (Wed, Sep 26th) ∗∗∗ --------------------------------------------- In recent weeks, I've generally seen Emotet retrieve Trickbot, the IcedID banking Trojan, or spambot malware for its follow-up infection. I rarely see Emotet retrieve more than one type of follow-up malware. But on Tuesday 2018-09-25, my infected lab host retrieved Trickbot and IcedID immediately after an Emotet infection. Then IcedID caused another infection with AZORult on the same host. --------------------------------------------- https://isc.sans.edu/diary/rss/24140 ∗∗∗ eDirectory 9.1.1 Hot Patch 1 ∗∗∗ --------------------------------------------- This patch is an update to eDirectory 9.1 Support Pack 1 (9.1.1). This update is being provided to resolve potential critical issues found since the latest patch Architecture: x86-64 Security patch: Yes Priority: Mandatory --------------------------------------------- https://download.novell.com/Download?buildid=vP3nS-Hctkk~ ∗∗∗ Stored Cross-Site Scripting in Kendo UI Editor ∗∗∗ --------------------------------------------- A cross-site scripting (XSS) vulnerability in Progress Kendo UI Editor v2018.1.221 allows remote attackers to inject arbitrary JavaScript into the DOM of the WYSIWYG editor. If the victim accesses the editor, the payload gets executed. Furthermore, if the payload is reflected at any other resource that does rely on the sanitisation of the editor itself, the JavaScript payload will be executed in the context of the application which allows attackers in the worst case to take over user sessions. --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/stored-cross-site-scripting-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python2.7 and python3.4), openSUSE (php5-smarty3), Oracle (389-ds-base, flatpak, kernel, and nss), Red Hat (389-ds-base, chromium-browser, flatpak, kernel, kernel-alt, kernel-rt, nss, and qemu-kvm-ma), and SUSE (ant, dom4j, kernel, and wireshark). --------------------------------------------- https://lwn.net/Articles/766746/ ∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability Affects IBM WebSphere Portal (CVE-2018-1820) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732287 ∗∗∗ IBM Security Bulletin: Security Vulnerability in Apache Batik Affects IBM WebSphere Portal (CVE-2018-8013) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731435 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK Affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728567 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Runtime Environments Java Technology Edition, Versions 7 & 8 Affect Transformation Extender ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10720173 ∗∗∗ IBM Security Bulletin: Open Redirect Vulnerability in IBM WebSphere Portal (CVE-2018-1736) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729683 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1716) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729323 ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10732916 ∗∗∗ IBM Security Bulletin: Open Source Libvorbis, Patch and Python-paramiko vulnerabilities affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10729297 ∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1660) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10715923 ∗∗∗ IBM Security Bulletin: Publicly disclosed vulnerability from BIND affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10729637 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2018
by Daily end-of-shift report 25 Sep '18

25 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Montag 24-09-2018 18:00 − Dienstag 25-09-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android Trojan reads Whatsapp-Messages ∗∗∗ --------------------------------------------- A spyware still in development can read users Whatsapp-Messages and other sensitive data. G DATA researchers analysed the Malware to protect our customers. --------------------------------------------- https://www.gdatasoftware.com/blog/2018/09/31122-android-trojan-reads-whats… ∗∗∗ OpenPGP/GnuPG: Signaturen fälschen mit HTML und Bildern ∗∗∗ --------------------------------------------- PGP-Signaturen sollen gewährleisten, dass eine E-Mail tatsächlich vom korrekten Absender kommt. Mit einem simplen Trick kann man bei vielen Mailclients scheinbar signierte Nachrichten erstellen - indem man die entsprechende Anzeige mittels HTML fälscht. (OpenPGP, E-Mail) --------------------------------------------- https://www.golem.de/news/openpgp-gnupg-signaturen-faelschen-mit-html-und-b… ∗∗∗ Analyzing Encoded Shellcode with scdbg, (Mon, Sep 24th) ∗∗∗ --------------------------------------------- Reader Jason analyzed a malicious RTF file: using OfficeMalScanner and xorsearch he was able to extract and find the entry point of the shellcode, but scdbg was not able to emulate the shellcode. --------------------------------------------- https://isc.sans.edu/diary/rss/24134 ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Cisco Identity Services Engine ∗∗∗ --------------------------------------------- Cisco Identity Services Engine (ISE) contains the following vulnerabilities: Cisco ISE Authenticated Arbitrary Command Execution Vulnerability Cisco ISE Support Information Download Authentication Bypass Vulnerability These .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ∗∗∗ DSA-4305 strongswan - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4305 ∗∗∗ ZDI-18-1083: Apple Safari Array Concat Uninitialized Buffer Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1083/ ∗∗∗ ZDI-18-1082: Apple Safari Subframe Same-Origin Policy Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1082/ ∗∗∗ ZDI-18-1081: Apple Safari performProxyCall Internal Object Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1081/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2018
by Daily end-of-shift report 24 Sep '18

24 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-09-2018 18:00 − Montag 24-09-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware Disguised as Job Offers Distributed on Freelance Sites ∗∗∗ --------------------------------------------- Attackers are using freelance job sites such as fiverr and Freelancer to distribute malware disguised as job offers. These job offers contain attachments that pretends to be the job brief, but are actually .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-disguised-as-job-off… ∗∗∗ Security: Curl bekommt eigenes Bug-Bounty-Programm ∗∗∗ --------------------------------------------- Das kleine Kommandozeilenwerkzeug Curl und dessen Bibliothek finden sich in nahezu allen vernetzten Geräten. Sicherheitsforscher erhalten künftig eine Bug-Bounty, also Geld für das Auffinden von Sicherheitslücken in der .. --------------------------------------------- https://www.golem.de/news/security-curl-bekommt-eigenes-bug-bounty-programm… ∗∗∗ Adwind Dodges AV via DDE ∗∗∗ --------------------------------------------- Cisco Talos, along with fellow cybersecurity firm ReversingLabs, recently discovered a .. --------------------------------------------- https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html ∗∗∗ Security - Android: Immer mehr Hersteller liefern Sicherheits-Updates ∗∗∗ --------------------------------------------- Mittlerweile 250 Modelle mit Patch Level aus den letzten 90 Tagen – Google zahlt 3 Millionen Dollar für Bug Bounties --------------------------------------------- https://derstandard.at/2000087981052/Android-Immer-mehr-Hersteller-liefern-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Video Surveillance Manager Appliance Default Password Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms could allow an unauthenticated, remote .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ DSA-4301 mediawiki - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4301 ∗∗∗ DSA-4302 openafs - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4302 ∗∗∗ ZDI-18-1079: Cisco WebEx Network Recording Player NMVC RtpConfig Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1079/ ∗∗∗ ZDI-18-1078: Cisco WebEx Network Recording Player NMVC RtpConfig Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1078/ ∗∗∗ Multiple vulnerabilities in Citrix StorageZones Controller ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-cit… ∗∗∗ Security vulnerabilities fixed in Firefox ESR 60.2.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-23/ ∗∗∗ Security vulnerabilities fixed in Firefox 62.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-22/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2018
by Daily end-of-shift report 21 Sep '18

21 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-09-2018 18:00 − Freitag 21-09-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Unwiped Drives and Servers from NCIX Retailer for Sale on Craigslist ∗∗∗ --------------------------------------------- Servers and storage disks filled with millions of unencrypted confidential records of employees, customers .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unwiped-drives-and-servers-f… ∗∗∗ Pre-Pwned AMI Images in Amazons AWS public instance store, (Fri, Sep 21st) ∗∗∗ --------------------------------------------- I keep getting reports about AMI images in Amazon&#;x26;#;39;s AWS, which come "pre-pwned." These images .. --------------------------------------------- https://isc.sans.edu/diary/rss/24126 ∗∗∗ AES Resulted in a $250-Billion Economic Benefit ∗∗∗ --------------------------------------------- NIST has released a new study concluding that the AES encryption standard has resulted in a $250-billion worldwide economic benefit over the past 20 years. I have no idea how to even begin to assess the quality of the .. --------------------------------------------- https://www.schneier.com/blog/archives/2018/09/aes_resulted_in.html ∗∗∗ DanaBot shifts its targeting to Europe, adds new features ∗∗∗ --------------------------------------------- Recently, we have spotted a surge in activity of DanaBot, a stealthy banking Trojan discovered earlier this year. The malware, first observed in campaigns targeting Australia and later Poland, has apparently .. --------------------------------------------- https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new… ∗∗∗ Cyber - USA und Großbritannien rüsten im Cyberspace auf ∗∗∗ --------------------------------------------- Größerer Fokus auf eigene Offensiven gegen Angreifer von außen --------------------------------------------- https://derstandard.at/2000087842532/USA-und-Grossbritannien-ruesten-im-Cyb… ===================== = Vulnerabilities = ===================== ∗∗∗ Tec4Data SmartCooler ∗∗∗ --------------------------------------------- This advisory includes mitigations for a missing authentication for critical function vulnerability in Tec4Datas SmartCooler, a cooling appliance. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-263-01 ∗∗∗ Rockwell Automation RSLinx Classic ∗∗∗ --------------------------------------------- This advisory includes mitigations for stack-based buffer overflow, heap-based buffer overflow, and resource exhaustion vulnerabilities in Rockwell Automation’s RSLinx Classic. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-263-02 ∗∗∗ Security Advisory 2018-05: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- https://community.otrs.com/security-advisory-2018-05-security-update-for-ot… ∗∗∗ Security Advisory 2018-04: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- https://community.otrs.com/security-advisory-2018-04-security-update-for-ot… ∗∗∗ Vuln: Microsoft Windows JET Database Engine Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/105376 ∗∗∗ Wireshark Bugs in Multiple Dissectors Let Remote Users Cause the Application to Crash or Consume Excessive CPU Resources ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041608 ∗∗∗ MediaWiki Multiple Flaws Let Remote Authenticated Users Bypass Security Restrictions and Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041695 ∗∗∗ Asterisk Stack Overflow in HTTP Websocket Upgrade Lets Remote Users Cause the Target Service to Crash ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041694 ∗∗∗ RSA Authentication Manager Input Validation Flaws Let Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041697 ∗∗∗ HPESBST03881 rev.1 - HPE Command View Advanced Edition (CVAE), Local and Remote Access Restriction Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03879 rev.1 - HPE StorageWorks XP7 Automation Director (AutoDir), Local and Remote Authentication Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03882 rev.1 - HPE Command View Advance Edition (CVAE) using JDK, Local and Remote Authentication Bypass ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2018
by Daily end-of-shift report 20 Sep '18

20 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-09-2018 18:00 − Donnerstag 20-09-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hunderttausende Überwachungskameras wegen Linux-Schwachstelle angreifbar ∗∗∗ --------------------------------------------- Die Angreifer können die Aufzeichnungen live ansehen, Material löschen oder Videos in Dauerschleife abspielen, um Einbrüche zu verschleiern. --------------------------------------------- https://futurezone.at/digital-life/hunderttausende-ueberwachungskameras-weg… ∗∗∗ BSI veröffentlicht Übersicht qualifizierter DDoS-Mitigation-Dienstleister ∗∗∗ --------------------------------------------- Basierend auf den ebenfalls veröffentlichten Auswahlkriterien für qualifizierte Dienstleister wurde ein wettbewerbsneutrales Verfahren entwickelt, durch das erste geeignete DDoS-Mitigation-Dienstleister identifiziert werden konnten. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/DDos-Mitiga… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glusterfs, php5, reportbug, and suricata), openSUSE (chromium and exempi), Red Hat (openstack-rabbitmq-container), SUSE (couchdb, crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui, gdm, OpenStack, pango, and webkit2gtk3), and Ubuntu (bind9, lcms, lcms2, and lcms2). --------------------------------------------- https://lwn.net/Articles/765814/ ∗∗∗ Vuln: Symantec Messaging Gateway CVE-2018-12243 XML External Entity Injection Vulnerability ∗∗∗ --------------------------------------------- Symantec Messaging Gateway is prone to an XML External Entity injection vulnerability. Attackers can exploit this issue to gain access to sensitive information or cause denial-of-service conditions. Versions prior to Messaging Gateway 10.6.6 are vulnerable --------------------------------------------- http://www.securityfocus.com/bid/105330 ∗∗∗ Vuln: Symantec Messaging Gateway CVE-2018-12242 Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- Symantec Messaging Gateway is prone to an authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may lead to further attacks. Versions prior to Messaging Gateway 10.6.6 are vulnerable --------------------------------------------- http://www.securityfocus.com/bid/105329 ∗∗∗ Cisco Webex Network Recording Player Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Network Recording Player Remote Code Execution Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX Security Bulletin ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10730909 ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private Cloud Foundry (CVE-2018-11047) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731715 ∗∗∗ IBM Security Bulletin: Privilege escalation vulnerability affects IBM Db2 Administrative Task Scheduler (CVE-2018-1711). ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729983 ∗∗∗ IBM Security Bulletin: Buffer overflow in IBM Db2 tool db2licm (CVE-2018-1710). ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729981 ∗∗∗ IBM Security Bulletin: Privilege escalation in IBM Db2 tool db2cacpy (CVE-2018-1685). ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729979 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2018-0732) Security Bulletin ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731039 ∗∗∗ IBM Security Bulletin: IBM Cloud Private Cloud Foundry is vulnerable to a security vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731705 ∗∗∗ IBM Security Bulletin: Vulnerabilities in GSKit affect IBM Spectrum Scale used by DB2 pureScale (CVE-2018-1431, CVE-2018-1447, CVE-2017-3732, CVE-2016-0705) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731657 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2018
by Daily end-of-shift report 19 Sep '18

19 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-09-2018 18:00 − Mittwoch 19-09-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Western Digitals My Cloud NAS Devices Turn Out to Be Easily Hacked ∗∗∗ --------------------------------------------- Security researchers have discovered an authentication bypass vulnerability in Western Digitals My Cloud NAS devices that potentially allows an unauthenticated attacker to gain admin-level control to the affected devices. --------------------------------------------- https://thehackernews.com/2018/09/wd-my-cloud-nas-hacking.html ∗∗∗ XBash Malware Packs Double Punch: Destroys Data and Mines for Crypto Coins ∗∗∗ --------------------------------------------- It appears that on Windows, Xbash will focus on malicious cryptomining functions and self-propagation techniques, while on Linux systems, the malware will flaunt its data destructive tendencies; as the malware triggers a downloader to execute a coinminer on Windows, while on Linux it flaunts ransomware functions. --------------------------------------------- https://threatpost.com/xbash-malware-packs-double-punch-destroys-data-and-m… ∗∗∗ TIPs to Securely Deploy Industrial Control Systems ∗∗∗ --------------------------------------------- Schneider Electric has authored a whitepaper “Effective Implementation of Cybersecurity Countermeasures in Industrial Control Systems” that takes asset owners through the system deployment process. In this blog article, I will provide a brief overview of the concepts presented in the whitepaper. --------------------------------------------- https://blog.schneider-electric.com/cyber-security/2018/09/18/tips-to-secur… ∗∗∗ Fake finance apps on Google Play target users from around the world ∗∗∗ --------------------------------------------- Another set of fake finance apps has found its way into the official Google Play store. This time, the apps have impersonated six banks from New Zealand, Australia, the United Kingdom, Switzerland and Poland, and the Austrian cryptocurrency exchange Bitpanda. Using bogus forms, the malicious fakes phish for credit card details and/or login credentials to the impersonated legitimate services. --------------------------------------------- https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-tar… ∗∗∗ Multi-Vector WordPress Infection from Examhome ∗∗∗ --------------------------------------------- This September, we’ve been seeing a massive infection wave that injects malicious JavaScript code into .js, .php files and the WordPress database. --------------------------------------------- http://labs.sucuri.net/?note=2018-09-18 ===================== = Vulnerabilities = ===================== ∗∗∗ Security Updates available for Adobe Acrobat and Reader (APSB18-34) ∗∗∗ --------------------------------------------- Adobe has published security bulletin for Adobe Acrobat and Reader (APSB18-34) for Windows and MacOS. These updates address critical and important vulnerabilities, and Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1617 ∗∗∗ BSRT-2018-003 Directory traversal vulnerability impacts the Connect Service of the BlackBerry Enterprise Mobility Server ∗∗∗ --------------------------------------------- This advisory addresses a directory traversal vulnerability that has been discovered in the Connect Service of the BlackBerry Enterprise Mobility Server (BEMS). BlackBerry is not aware of any exploitation of this vulnerability. Customer risk is limited ... --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Google Chrome, Chromium: Eine Schwachstelle ermöglicht nicht spezifizierte Angriffe ∗∗∗ --------------------------------------------- Ein Angreifer kann aufgrund einer Schwachstelle welche mit dem Schweregrad 'high' bewertet wird nicht weiter spezifizierte Angriffe ausführen. In der Vergangenheit konnten derartige Schwachstellen zumeist von einem entfernten und nicht authentisierten Angreifer ausgenutzt werden. Google stellt die Chrome und Chromium Version 69.0.3497.100 als Sicherheitsupdate bereit. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1886/ ∗∗∗ Xcode: Eine Schwachstelle ermöglicht die Übernahme des Systems ∗∗∗ --------------------------------------------- Ein lokaler, einfach authentifizierter Angreifer kann die Schwachstelle mit Hilfe einer speziell präparierten Anwendung ausnutzen, um beliebigen Programmcode mit Kernelprivilegien auszuführen und dadurch das komplette System zu übernehmen. Apple stellt Xcode 10 für macOS High Sierra 10.13.6 und später zur Behebung der Schwachstelle bereit. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1885/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium-browser and libapache2-mod-perl2), Oracle (kernel), and Ubuntu (ghostscript, glib2.0, and php5). --------------------------------------------- https://lwn.net/Articles/765573/ ∗∗∗ WECON PLC Editor ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-261-01 ∗∗∗ Vuln: Apache Camel CVE-2018-8041 Directory Traversal Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/105352 ∗∗∗ Security Advisory - Sensitive Information Leak Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180919-… ∗∗∗ IBM Security Bulletin: Information Disclosure Security Vulnerability Affects IBM Sterling B2B Integrator (CVE-2018-1800) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731379 ∗∗∗ IBM Security Bulletin: Blind SQL injection vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (CVE-2018-1674) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10720035 ∗∗∗ IBM Security Bulletin: IBM Data Science Experience Local is affected by a cryptography vulnerability ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10720161 ∗∗∗ The BIG-IP ASM system may stop enforcing attack signatures after activating a security policy that includes a new signature ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83093212 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2018
by Daily end-of-shift report 18 Sep '18

18 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Montag 17-09-2018 18:00 − Dienstag 18-09-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Public Shaming of Companies for Bad Security ∗∗∗ --------------------------------------------- Troy Hunt makes some good points, with good examples. --------------------------------------------- https://www.schneier.com/blog/archives/2018/09/public_shaming_.html ∗∗∗ New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms ∗∗∗ --------------------------------------------- Palo Alto Network researchers discovered a new malware, tracked as XBash, that combines features from ransomware, cryptocurrency miners, botnets, and worms Security researchers at Palo Alto Networks have .. --------------------------------------------- https://securityaffairs.co/wordpress/76305/malware/xbash-malware.html ∗∗∗ Extended Validation Certificates are Dead ∗∗∗ --------------------------------------------- Thats it - Im calling it - extended validation certificates are dead. Sure, you can still buy them (and there are companies out there that would just love to sell them to you!), but their usefulness has now descended from .. --------------------------------------------- https://www.troyhunt.com/extended-validation-certificates-are-dead/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory: CVE-2018-13982: Smarty 3.1.32 or below Trusted-Directory Bypass via Path Traversal ∗∗∗ --------------------------------------------- Smarty 3.1.32 or below is prone to a path traversal vulnerability due to insufficient sanitization of code in Smarty templates. This allows attackers controlling the Smarty template to bypass the trusted directory security restriction and read arbitrary files. Full security advisory --------------------------------------------- https://www.sba-research.org/2018/09/18/security-advisory-cve-2018-13982-sm… ∗∗∗ VMSA-2018-0015.1 ∗∗∗ --------------------------------------------- VMware AirWatch Agent updates resolve remote code execution vulnerability. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0015.html ∗∗∗ iOS 12 is out today - Updates for Safari, watchOS, tvOS, iOS. Full details here https://support.apple.com/en-ca/HT201222, (Tue, Sep 18th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/24112 ∗∗∗ IBM Security Bulletin: IBM Connections Security Refresh for Apache Struts Remote Code Execution (RCE) Vulnerability (CVE-2018-11776) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10731343 ∗∗∗ IBM Security Bulletin: IBM Cloud Manager with OpenStack is affected by a OpenSSL vulnerabilities (CVE-2018-0739) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10725849 ∗∗∗ Remote Code Execution in Moodle ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/remote-code-execution-php-un… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2018
by Daily end-of-shift report 17 Sep '18

17 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-09-2018 18:00 − Montag 17-09-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB18-34) ∗∗∗ --------------------------------------------- A prenotification security advisory (APSB18-34) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Wednesday, September 19, 2018. We will continue to provide updates on the upcoming release via the Security Bulletins and Advisories page as well [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1609 ∗∗∗ CSS-basierte Web-Attacke bringt iPhones zum Absturz ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine Schwachstelle in iOS entdeckt, mit der iPhones zum Absturz gebracht und neu gestartet werden können. --------------------------------------------- https://futurezone.at/digital-life/css-basierte-web-attacke-bringt-iphones-… ∗∗∗ Fbot, A Satori Related Botnet Using Block-chain DNS System ∗∗∗ --------------------------------------------- Since 2018-09-13 11:30 UTC, a new botnet (we call it Fbot) popped up in our radar which really caught our attention.There are 3 interesting aspects about this new botnet:First, so far the only purpose of this botnet looks to be just going after and removing another botnet --------------------------------------------- http://blog.netlab.360.com/threat-alert-a-new-worm-fbot-cleaning-adbminer-i… ∗∗∗ Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows ∗∗∗ --------------------------------------------- Unit 42 researchers discover Xbash, a new malware family tied to the Iron Group targeting Linux and Microsoft Servers --------------------------------------------- https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-b… ∗∗∗ User Agent String "$ua.tools.random()" ? :-) ! ∗∗∗ --------------------------------------------- For many years I've observed requests for page license.php on my webservers, from various IPs and with various User Agent Strings: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/24102 ∗∗∗ Outdated Duplicator Plugin RCE Abused ∗∗∗ --------------------------------------------- We’re seeing an increase in the number of cases where attackers are disabling WordPress sites by removing or rewriting its wp-config.php file. These cases are all linked to the same vulnerable software: WordPress Duplicator Plugin. Versions lower than 1.2.42 of Snap Creek Duplicator plugin are vulnerable to a Remote Code Execution attack, where the malicious visitor is able to run any arbitrary code on the target site. --------------------------------------------- https://blog.sucuri.net/2018/09/outdated-duplicator-plugin-rce-abused.html ∗∗∗ Erlang Authenticated Remote Code Execution ∗∗∗ --------------------------------------------- Erlang is a programming language that I have tried to learn a few times in the past but never really dug in, that is, until recently.Erlange is an interesting language because it has “built-in concurrency, distribution, and fault tolerence”. To me, this means that it does job queing and distributed tasks right out of the gate. --------------------------------------------- https://malicious.link/post/2018/erlang-arce/ ∗∗∗ Bewerbungsschreiben verbreiten Schadsoftware ∗∗∗ --------------------------------------------- Unternehmen erhalten von Arbeitssuchenden elektronische Bewerbungsschreiben. Für die ausführlichen und angehängten Bewerbungsunterlagen der Kandidat/innen sollen sie einen Dateianhang im ZIP-Format öffnen. Er beinhaltet ausführbare Microsoft Windows-Anwendungen, die Schadsoftware sind. Diese Anwendungen dürfen Mitarbeiter/innen nicht öffnen, denn damit installieren sie die Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/bewerbungsschreiben-verbreiten-schad… ∗∗∗ gymondi.com ist ein Fakeshop ∗∗∗ --------------------------------------------- Gymondi.com ist ein sehr aufwendig aufgesetzter Onlineshop, der das Herz von Sportler/innen höherschlagen lässt. Konsument/innen finden bei gymondi.com Fitnessgeräte zu günstigeren Preisen als bei der Konkurrenz. Zusätzlich zum Preisvorteil kann ein 20% Rabattgutschein eingelöst werden, was den Gesamtpreis erheblich mindert. Wir raten von einem Einkauf ab! Sie werden lediglich um einen hohen Geldbetrag betrogen und gehen leer aus. --------------------------------------------- https://www.watchlist-internet.at/news/gymondicom-ist-ein-fakeshop/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (discount, ghostscript, intel-microcode, mbedtls, thunderbird, and zutils), Fedora (ghostscript, java-1.8.0-openjdk-aarch32, kernel-headers, kernel-tools, libzypp, matrix-synapse, nspr, nss, nss-softokn, nss-util, zsh, and zypper), Mageia (kernel, kernel-linus, and kernel-tmb), openSUSE (chromium, curl, ffmpeg-4, GraphicsMagick, kernel, libzypp, zypper, okular, python3, spice-gtk, tomcat, and zsh), Oracle (kernel), Slackware (php), SUSE (curl, [...] --------------------------------------------- https://lwn.net/Articles/765048/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - September 2018 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Moodle: Mehrere Schwachstellen ermöglichen u. a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1871/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2018
by Daily end-of-shift report 14 Sep '18

14 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-09-2018 18:00 − Freitag 14-09-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Interesting approach: Skill Squatting with Amazon Echo ∗∗∗ --------------------------------------------- Mishearing something every once in a while is a normal thing for humans. In that respect, Amazon Echo has some human characteristics as well. A research team from the University of Illinois has taken a closer look at Echo, Alexa and the abuse potential for malicious Alexa skills. They have presented their findings at the Usenix conference. --------------------------------------------- https://www.gdatasoftware.com/blog/2018/09/31112-skill-squatting-amazon-echo ∗∗∗ Windows, Linux Kodi Users Infected With Cryptomining Malware ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from ZDNet: Users of Kodi, a popular media player and platform designed for TVs and online streaming, have been the targets of a malware campaign, ZDNet has learned from cyber-security firm .. --------------------------------------------- https://it.slashdot.org/story/18/09/13/2118233/windows-linux-kodi-users-inf… ∗∗∗ Apple Has Started Paying Hackers for iPhone Exploits ∗∗∗ --------------------------------------------- Lorenzo Franceschi-Bicchierai, reporting for Motherboard: In 2016, Apples head of security surprised the attendees of one of the biggest security conference in the world by announcing a bug bounty program for Apples mobile operating .. --------------------------------------------- https://it.slashdot.org/story/18/09/14/1441201/apple-has-started-paying-hac… ∗∗∗ Unsuccessfully Defaced Websites ∗∗∗ --------------------------------------------- Defaced websites are a type of hack that is easy to notice and a pain for website owners. Recently, we came across some defacement pages with a peculiar JavaScript injection included in the source code. What is a .. --------------------------------------------- https://blog.sucuri.net/2018/09/unsuccessfully-defaced-websites.html ∗∗∗ DarkCloud Bootkit ∗∗∗ --------------------------------------------- In an earlier blog about crypto-malware, we described different techniques used by cybercriminals, such as cryptomining and wallet stealing. In this blog, we will provide a technical analysis of yet another type of .. --------------------------------------------- https://www.zscaler.com/blogs/research/darkcloud-bootkit ∗∗∗ Bug in Intels ME-Firmware: Wieder BIOS-Updates nötig ∗∗∗ --------------------------------------------- Die russischen Experten von PTE haben erneut einen schwerwiegenden Bug bei kryptografischen Schlüsseln in Intels Management Engine (ME) entdeckt. --------------------------------------------- https://heise.de/-4165732 ∗∗∗ GlobeImposter use new ways to spread to the globe: How to prevent falling victims? ∗∗∗ --------------------------------------------- Recently, there have been many incidents of ransomware attacks. Once users are .. --------------------------------------------- https://blog.360totalsecurity.com/en/globeimposter-use-new-ways-to-spread-t… ∗∗∗ Hacking an assault tank… A Nerf one ∗∗∗ --------------------------------------------- TL;DR A complex, challenging reverse and hijack of a toy tank Nerf gun camera, but the result was we got to shoot the 44Con conference organiser with it! Why A remote-controlled Nerf gun with .. --------------------------------------------- https://www.pentestpartners.com/security-blog/hacking-an-assault-tank-a-ner… ===================== = Vulnerabilities = ===================== ∗∗∗ Honeywell Mobile Computers with Android Operating Systems ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper privilege management vulnerability in the Honeywell mobile computers running the Android Operating System. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-256-01 ∗∗∗ CVE-2018-16962: Webroot SecureAnywhere macOS Kernel Level Memory Corruption ∗∗∗ --------------------------------------------- https://trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-16962--Webroot-Sec… ∗∗∗ HPESBHF03866 rev.1 - HPE Integrated Lights-Out 3,4,5 using SSH, Remote Execution of Arbitrary Code and Disclosure of Sensitive Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2018
by Daily end-of-shift report 13 Sep '18

13 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-09-2018 18:00 − Donnerstag 13-09-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Office VBA + AMSI: Parting the veil on malicious macros ∗∗∗ --------------------------------------------- As part of our continued efforts to tackle entire classes of threats, Office 365 client applications now integrate with Antimalware Scan Interface (AMSI), enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior. --------------------------------------------- https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi… ∗∗∗ A New Mining Botnet Blends Its C2s into ngrok Service ∗∗∗ --------------------------------------------- These days, it feels like new mining malwares are popping up almost daily and we have pretty much stopped blogging the regular ones so we don’t flood our readers’ feed. With that being said, one did have our attention recently. This botnet hides its C2s(Downloader and Reporter [...] --------------------------------------------- http://blog.netlab.360.com/a-new-mining-botnet-blends-its-c2s-into-ngrok-se… ∗∗∗ Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars ∗∗∗ --------------------------------------------- High-end vehicles are often equipped with a Passive Keyless Entry and Start (PKES) system. These PKES systems allow to unlock and start the vehicle based on the physical proximity of a paired key fob; no user interaction is required. --------------------------------------------- https://www.esat.kuleuven.be/cosic/fast-furious-and-insecure-passive-keyles… ∗∗∗ The 42M Record kayo.moe Credential Stuffing Data ∗∗∗ --------------------------------------------- This is going to be a brief blog post but its a necessary one because I cant load the data Im about to publish into Have I Been Pwned (HIBP) without providing more context than what I can in a single short breach description. Heres the story: [...] --------------------------------------------- https://www.troyhunt.com/the-42m-record-kayo-moe-credential-stuffing-data/ ∗∗∗ Keine 359,88 Euro an Streaming-Plattformen zahlen ∗∗∗ --------------------------------------------- Die Streaming-Plattformen borastream.de und matostream.de verlangen von Besucher/innen eine kostenlose Registrierung. Sie führt ohne Hinweis zu einer Premium-Mitgliedschaft um 359,88 Euro pro Jahr. Konsument/innen müssen die Rechnung der Website-Betreiberinnen Roxo Films Ltd bzw. Filmser Ltd27 nicht bezahlen, denn ihre Angebote sind unseriöse Abo-Fallen. --------------------------------------------- https://www.watchlist-internet.at/news/keine-35988-euro-an-streaming-plattf… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and openssh), Oracle (firefox), Scientific Linux (firefox and OpenAFS), SUSE (tomcat), and Ubuntu (openjdk-lts). --------------------------------------------- https://lwn.net/Articles/764713/ ∗∗∗ ZDI-18-1046: (0Day) PoDoFo Library ParseToUnicode Memory Corruption Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-1046/ ∗∗∗ Intel Baseboard Management Controller (BMC) Firmware: Eine Schwachstelle ermöglicht die Eskalation von Privilegien ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1861/ ∗∗∗ IBM Security Bulletin: IBM Connections Security Refresh (CVE-2018-1791) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731207 ∗∗∗ IBM Security Bulletin: Vulnerabilities identified in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio (CVE-2018-1656 and CVE-2018-12539) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10728399 ∗∗∗ IBM Security Bulletin: Weaker than expected security in WebSphere Application Server (CVE-2018-1719) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10718837 ∗∗∗ IBM Security Bulletin: A Vulnerability in the Java runtime environment that IBM provides affects WebSphere DataPower XC10 Appliance ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718653 ∗∗∗ IBM Security Bulletin: A Vulnerability in Java runtime environment that IBM provides affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718453 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSH affects QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731317 ∗∗∗ IBM Security Bulletin: WebSphere MQ V5.3 for HP NonStop Server (MIPS and Itanium) is affected by OpenSSL vulnerability CVE-2018-0739 ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10731019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2018
by Daily end-of-shift report 12 Sep '18

12 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-09-2018 18:00 − Mittwoch 12-09-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ British Airways Breach Caused By the Same Group That Hit Ticketmaster ∗∗∗ --------------------------------------------- A cyber-criminal operation known as Magecart is believed to have been behind the recent card breach announced last week by British Airways. The operation has been active since 2015 when RisqIQ and ClearSky researchers spotted the malware for the first time. The groups regular mode of operation involves hacking into online stores and hiding JavaScript code that steals payment card information entered into store checkout pages, [...] --------------------------------------------- https://it.slashdot.org/story/18/09/11/1116221/british-airways-breach-cause… ∗∗∗ When is a patch not a patch? When its for this McAfee password bug ∗∗∗ --------------------------------------------- Vulnerability still open to all despite multiple fixes A privilege escalation flaw in McAfees True Key software remains open to exploitation despite multiple attempts to patch it. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/09/11/mcafee_flaw… ∗∗∗ Back up a minute: Veeam database config snafu exposed millions of customer records ∗∗∗ --------------------------------------------- Firm helps self with own disaster recovery A misconfigured server at data recovery and backup firm Veeam exposed millions of email addresses. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/09/12/veeam_datab… ∗∗∗ Erpresserische E-Mail droht mit Masturbationsvideo ∗∗∗ --------------------------------------------- Unternehmen erhalten eine erpresserische E-Mail, die angeblich von ihrer eigenen Adresse stammt. Darin behaupten Kriminelle, dass sie Zugriff auf den fremden Computer haben und über Masturbationsvideos der Empfänger/innen verfügen. Opfer sollen Bitcoins zahlen, damit es zu keiner Veröffentlichung kommt. Der Inhalt der Nachricht ist erfunden. Eine Zahlung ist nicht erforderlich. --------------------------------------------- https://www.watchlist-internet.at/news/erpresserische-e-mail-droht-mit-mast… ∗∗∗ Warnung vor telmo24.de ∗∗∗ --------------------------------------------- Der Fake-Shop telmo24.de vertreibt günstige Handys und Tablets. Trotz Bezahlung liefert er keine Ware. Konsument/innen können den Fake-Shop daran erkennen, dass er über sehr niedrige Preise verfügt und ausschließlich eine Bezahlung im Voraus akzeptiert. Vor einem Einkauf ist dringend abzuraten! --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-telmo24de/ ∗∗∗ Sicherheit - Microsoft schließt drei gefährliche Zero-Day-Lücken bei Windows ∗∗∗ --------------------------------------------- Eine davon auch bereits aktiv ausgenutzt - Insgesamt 17 kritische Lücken behoben --------------------------------------------- https://derstandard.at/2000087198816/Microsoft-schliesst-drei-gefaehrliche-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kamailio, libextractor, and mgetty), Fedora (community-mysql, ghostscript, glusterfs, iniparser, okular, and zsh), openSUSE (compat-openssl098, php5, and qemu), Red Hat (firefox), SUSE (libzypp, zypper, python3, spark, and zsh), and Ubuntu (zsh). --------------------------------------------- https://lwn.net/Articles/764645/ ∗∗∗ OpenAFS: Mehrere Schwachstellen ermöglichen u. a. die Manipulation von Daten ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1854/ ∗∗∗ INTEL-SA-00125: A potential security vulnerability in Intel CSME, Intel Server Platform Services and Intel Trusted Execution Engine Firmware may allow information disclosure ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ Security Advisory - FRP Bypass Vulnerability on Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180912-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server July 2018 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729745 ∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management could allow an authenticated attacker to obtain sensitive information. (CVE-2018-1698) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10728857 ∗∗∗ IBM Security Bulletin: Potential spoofing attack in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1695) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10730979 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22012749 ∗∗∗ IBM Security Bulletin: Code execution vulnerability in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1567) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10730983 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect GCM16 & GCM32 KVM Switch Firmware ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10731205 ∗∗∗ libidn vulnerability CVE-2016-6263 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K25353544 ∗∗∗ HPESBHF03893 rev.1 - HPE Intelligent Management Center (iMC) Wireless Services Manager Software, Remote Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03876 rev.1 - HPE ProLiant ML10 Gen9 Servers with Intel-based Processors using Active Management Technology (AMT), Multiple Local Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBHF03873 rev.1 - Certain HPE Gen10 Servers with Intel-based Processors using Converged Security and Management Engine (CSME), and Power Management Controller (PMC) Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2018
by Daily end-of-shift report 11 Sep '18

11 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Montag 10-09-2018 18:00 − Dienstag 11-09-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mongo Lock Attack Ransoming Deleted MongoDB Databases ∗∗∗ --------------------------------------------- An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-… ∗∗∗ OpenSSL 1.1.1 Is Released ∗∗∗ --------------------------------------------- Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. --------------------------------------------- https://www.openssl.org/blog/blog/2018/09/11/release111/ ∗∗∗ "Google Fonts" popup leads to malware ∗∗∗ --------------------------------------------- A recent malware injection in a client's WordPress file was found to be targeting website visitors that were using the Google Chrome browser to access the infected website. It uses Javascript to detect the visitor's use of Google Chrome and then upon the visitor clicking it generates a popup notification which falsely claims that the visitor's Google Chrome is missing the "HoeflerText" font ... --------------------------------------------- http://labs.sucuri.net/?note=2018-09-10 ∗∗∗ Nicht auf gamingkoenig.org reinfallen ∗∗∗ --------------------------------------------- Bei gamingkoenig.org wird Computerzubehör zu Schnäppchenpreisen angeboten. Konsument/innen dürfen bei dem Anbieter auf keinen Fall bestellen, denn es handelt sich um einen Fakeshop. Die bestellte Ware wird sie nie erreichen und Konsument/innen verlieren einen hohen Geldbetrag. --------------------------------------------- https://www.watchlist-internet.at/news/nicht-auf-gamingkoenigorg-reinfallen/ ∗∗∗ Anwaltsschreiben mit Schadsoftware im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden unter dem Namen von erfundenden Anwaltskanzleien betrügerische E-Mails. Darin behauten sie, dass Empfänger/innen einen pornografischen Film angesehen und damit eine Urheberrechtsverletzung begangen haben. Weiterführende Informationen dazu finden sich angeblich in einem Dateianhang. Er verbirgt Schadsoftware und darf nicht geöffnet werden. --------------------------------------------- https://www.watchlist-internet.at/news/anwaltsschreiben-mit-schadsoftware-i… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe ColdFusion(APSB18-33) and Adobe Flash Player (APSB18-31). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1607 ∗∗∗ eDirectory 9.1.1 Hot Patch 1 ∗∗∗ --------------------------------------------- This update is being provided to resolve potential critical issues found since the latest patch: - Open unvalidated redirect vulnerability in iMonitor (Bug 1082040) (CVE-2018-7692) --------------------------------------------- https://download.novell.com/Download?buildid=vP3nS-Hctkk~ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libextractor), Fedora (godot and iniparser), Oracle (kernel), Red Hat (chromium-browser and Fuse 7.1), SUSE (compat-openssl098, openssh, php5, php53, qemu, and tiff), and Ubuntu (kernel, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2, and linux-hwe, linux-azure, linux-gcp). --------------------------------------------- https://lwn.net/Articles/764575/ ∗∗∗ Vuln: SAP Business One For Android CVE-2018-2460 Certificate Validation Security Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/105309 ∗∗∗ Vuln: SAP NetWeaver WebDynpro Java CVE-2018-2464 Cross Site Scripting Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/105308 ∗∗∗ Vuln: SAP Business One CVE-2018-2458 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/105307 ∗∗∗ Cisco Email Security Appliance and Content Security Management Appliance HTTP Response Splitting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Two Insufficient Input Validation Vulnerabilities in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180911-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1656, CVE-2018-12539) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10730799 ∗∗∗ IBM Security Bulletin: IBM API Connect is impacted by a Drupal 8 vulnerability (CVE-2018-14773) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10719697 ∗∗∗ IBM Security Bulletin: Datacap Taskmaster Capture, Datacap Fastdoc Capture and Datacap Navigator is affected by vulnerability due to unexpected authentication behavior ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729013 ∗∗∗ IBM Security Bulletin: Rational Asset Analyzer (RAA) is affected by a WAS Liberty vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10720295 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM QRadar SIEM ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729699 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-0732, CVE-2018-0737) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10730811 ∗∗∗ IBM Security Bulletin: WebSphere DataPower Appliances is affected by a Denial of Service vulnerability (CVE-2018-0739) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10726053 ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by a vulnerability in bind (CVE-2017-3145) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719051 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities in Apache Geronimo Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10728841 ∗∗∗ SSA-268644 (Last Update: 2018-09-11): Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-268644.pdf ∗∗∗ SSA-346256 (Last Update: 2018-09-11): Vulnerability in SIMATIC WinCC OA V3.14 and prior ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-346256.pdf ∗∗∗ SSA-198330 (Last Update: 2018-09-11): Local Privilege Escalation in TD Keypad Designer ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-198330.pdf ∗∗∗ SSA-447396 (Last Update: 2018-09-11): Denial-of-Service in SCALANCE X300, SCALANCE X408 and SCALANCE X414 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-447396.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2018
by Daily end-of-shift report 10 Sep '18

10 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-09-2018 18:00 − Montag 10-09-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VLAN Hopping and Mitigation ∗∗∗ --------------------------------------------- We'll start with a few concepts: VLAN A VLAN is used to share the physical network while creating virtual segmentations to divide specific groups. For example, a host on VLAN 1 is separated from any host on VLAN 2. Any packets sent between VLANs must go through a router or other layer 3 devices. Security is one of the many reasons network administrators configure VLANs. However, with an exploit known as VLAN Hopping, an attacker is able to bypass these security implementations. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/vlan-hopping-and-mitig… ∗∗∗ Keybase Browser Extension Could Allow Sites to See Messages ∗∗∗ --------------------------------------------- The browser extension for the Keybase app fails to keep the end-to-end encryption promised by its desktop variant as sites could see the text being types into the chat area. --------------------------------------------- https://www.bleepingcomputer.com/news/security/keybase-browser-extension-co… ∗∗∗ Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall ∗∗∗ --------------------------------------------- Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-io… ∗∗∗ Knuddels.de: Millionen Nutzerdaten mit Passwörtern geleakt ∗∗∗ --------------------------------------------- Bei der deutschen Chat-Community Knuddels.de gab es ein immenses Datenleck: Die Accountdaten fast aller Nutzer standen im Netz. --------------------------------------------- https://heise.de/-4158265 ∗∗∗ Apps that steal users' browser histories kicked out of the Mac App store ∗∗∗ --------------------------------------------- Apple has removed "Adware Doctor" from the macOS App Store amid claims that the program was uploading browser histories to China. And it turns out that wasnt the only popular app stealing users private information. --------------------------------------------- https://www.tripwire.com/state-of-security/featured/apps-that-steal-users-b… ∗∗∗ Irreführende Rechnung von ITR Register ∗∗∗ --------------------------------------------- Unternehmen, die ihre Marke oder ihr Geschmacksmuster beim Amt der Europäischen Union für Geistiges Eigentum (EuIPO) registrieren, erhalten eine Rechnung von ITR Register. Sie sollen 1.380 Euro für einen Eintrag auf itr-service.com bezahlen. Die Zahlungsaufforderung von ITR Register ist ein irreführendes Vertragsangebot. Unternehmen müssen den Geldbetrag nicht bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/irrefuehrende-rechnung-von-itr-regis… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium-browser, curl, discount, firefox-esr, ghostscript, and openssh), Fedora (curl, firefox, ghostscript, glibc, mod_perl, thunderbird, and unixODBC), openSUSE (chromium, firefox, GraphicsMagick, nodejs4, and thunderbird), Oracle (kernel), and SUSE (java-1_7_1-ibm and kvm). --------------------------------------------- https://lwn.net/Articles/764511/ ∗∗∗ IBM Security Bulletin: WebSphere DataPower Appliances is affected by multiple issues ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10726039 ∗∗∗ IBM Security Bulletin: WebSphere DataPower Appliances is affected by a Denial of Service vulnerability (CVE-2018-0732) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10730341 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect DataPower Gateways ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10726009 ∗∗∗ IBM Security Bulletin: WebSphere DataPower Appliances is affected by a vulnerability in OpenSSL (CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10730515 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affects Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10728351 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affects Netezza Performance Portal ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10718249 ∗∗∗ RSA BSAFE Crypto-J Crypto Timing Error Lets Remote Users Obtain Keys ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041615 ∗∗∗ RSA BSAFE SSL-J Crypto Timing and Memory Access Errors Let Remote or Physically Local Users Obtain Keys ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041614 ∗∗∗ QNAP Storage Devices PHP Buffer Error Lets Remote Users Deny Service ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1041607 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2018
by Daily end-of-shift report 07 Sep '18

07 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-09-2018 18:00 − Freitag 07-09-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Chainshot Malware Found By Cracking 512-Bit RSA Key ∗∗∗ --------------------------------------------- Security researchers exploited a threat actors poor choice for encryption and discovered a new piece of malware along with network infrastructure that links to various targeted attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-chainshot-malware-found-… ∗∗∗ Hotspot Honeypot ∗∗∗ --------------------------------------------- Introduction The Hotspot Honeypot is an illegitimate Wi-Fi access point which can appear as an authorized and secure hotspot. Despite appearances, it is actually set up by black-hat attackers or malicious hackers to steal your bank and credit card details, passwords and other personal information. --------------------------------------------- https://resources.infosecinstitute.com/hotspot-honeypot/ ∗∗∗ British Airways Website, Mobile App Breach Compromises 380k ∗∗∗ --------------------------------------------- The airline said information like name, address and bank card details like CVC code were compromised. --------------------------------------------- https://threatpost.com/british-airways-website-mobile-app-breach-compromise… ∗∗∗ 2018 CEF Telecom Call - €13 million to reinforce the EUs Cybersecurity capacity ∗∗∗ --------------------------------------------- The European Commission calls for proposals under the Connecting Europe Facility (CEF) to reinforce the EUs cybersecurity capacity, with up to €13 million available in grant funding, open until the 22 November 2018. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/2018-cef-telecom-call2013-20ac1… ∗∗∗ Jetzt patchen! Die Ransomware Gandcrab schlüpft durch Flash- und Windows-Lücken ∗∗∗ --------------------------------------------- Auf einigen kompromittierten Webseiten lauert ein Exploit Kit, das nach Sicherheitslücken in Flash und Windows Ausschau hält. --------------------------------------------- https://heise.de/-4157172 ∗∗∗ Vulnerability Spotlight: CVE-2018-3952 / CVE-2018-4010 - Multi-provider VPN Client Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos has discovered two similar vulnerabilities in the ProtonVPN and NordVPN VPN clients. The vulnerabilities allow attackers to execute code as an administrator on Microsoft Windows operating systems from a standard user. --------------------------------------------- https://blog.talosintelligence.com/2018/09/vulnerability-spotlight-Multi-pr… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2018-0017.3 - VMware Tools update addresses an out-of-bounds read vulnerability ∗∗∗ --------------------------------------------- [...] VMware Tools 10.3.0 is is discontinued because of a functional issue with 10.3.0 in ESXi 6.5, please refer to KB55796 for more information. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0017.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu and xen), Mageia (libxkbcommon, sleuthkit, and wireshark), openSUSE (apache-pdfbox, dovecot22, and php7), SUSE (enigmail, kernel, nodejs4, and php7), and Ubuntu (firefox and transfig). --------------------------------------------- https://lwn.net/Articles/764386/ ∗∗∗ (0Day) Remote Code Execution Vulnerabilities in Hewlett Packard Enterprise Intelligent Management Center ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-999/ http://www.zerodayinitiative.com/advisories/ZDI-18-1000/ http://www.zerodayinitiative.com/advisories/ZDI-18-1001/ http://www.zerodayinitiative.com/advisories/ZDI-18-1002/ http://www.zerodayinitiative.com/advisories/ZDI-18-1003/ http://www.zerodayinitiative.com/advisories/ZDI-18-1004/ http://www.zerodayinitiative.com/advisories/ZDI-18-1005/ http://www.zerodayinitiative.com/advisories/ZDI-18-1006/ http://www.zerodayinitiative.com/advisories/ZDI-18-1007/ --------------------------------------------- ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10730727 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Bouncy Castle vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22016006 ∗∗∗ IBM Security Bulletin: Vulnerabilities in NTP affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10730717 ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Public disclosed vulnerability from Bouncy Castle ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22016292 ∗∗∗ IBM Security Bulletin: IBM OpenPages GRC Platform is affected by an Information disclosure vulnerability (CVE-2017-1679) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10728737 ∗∗∗ Apache Tomcat vulnerability CVE-2018-1336 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73008537 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2018
by Daily end-of-shift report 06 Sep '18

06 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-09-2018 18:00 − Donnerstag 06-09-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nicht bestellen bei apothekerezeptfrei.com ∗∗∗ --------------------------------------------- KonsumentInnen, die auf der Suche nach Medikamenten und insbesondere Potenzmitteln sind, finden auf apothekerezeptfrei.com ein großes Angebot an teils verschreibungspflichtigen Medikamenten. InteressentInnen sollten hier auf keinen Fall bestellen, denn es handelt sich um einen Fake-Shop, der trotz Bezahlung keine Ware liefert. Zusätzlich sollten verschreibungspflichtige Medikamente nicht ohne entsprechende Verschreibung gekauft werden. --------------------------------------------- https://www.watchlist-internet.at/news/nicht-bestellen-bei-apothekerezeptfr… ∗∗∗ Browser Extensions: Are They Worth the Risk? ∗∗∗ --------------------------------------------- Popular file-sharing site Mega.nz is warning users that cybercriminals hacked its browser extension for Google Chrome so that any usernames and passwords submitted through the browser were copied and forwarded to a rogue server in Ukraine. This attack serves as a fresh reminder that legitimate browser extensions can and periodically do fall into the wrong hands, and that it makes good security sense to limit your exposure to such attacks by getting rid of extensions that are no longer useful or --------------------------------------------- https://krebsonsecurity.com/2018/09/browser-extensions-are-they-worth-the-r… ∗∗∗ Malicious PowerShell Compiling C# Code on the Fly, (Wed, Sep 5th) ∗∗∗ --------------------------------------------- What I like when hunting is to discover how attackers are creative to find new ways to infect their victims computers. I came across a Powershell sample that looked new and interesting to me. --------------------------------------------- https://isc.sans.edu/diary/rss/24072 ∗∗∗ Using just a laptop, boffins sniff, spoof and pry – without busting browser padlock ∗∗∗ --------------------------------------------- In a paper seen by The Register, to be presented at the ACM's Conference on Computer and Communications Security (Toronto in October), Dr Shulman's team wrote: "The attack exploits DNS Cache Poisoning and tricks the CA into issuing fraudulent certificates for domains the attacker does not legitimately own – namely certificates binding the attacker's public key to a victim domain." --------------------------------------------- https://www.theregister.co.uk/2018/09/06/boffins_break_cas_domain_validatio… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Releases Security Updates ∗∗∗ --------------------------------------------- Original release date: September 05, 2018 Cisco has released updates to address multiple vulnerabilities affecting Cisco products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. NCCIC encourages users and administrators to review the Cisco Security Advisories and Alerts website and apply the necessary updates. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/09/05/Cisco-Releases-Sec… ∗∗∗ DokuWiki CSV Formula Injection Vulnerability ∗∗∗ --------------------------------------------- The administration panel of the application has a “CSV export of users” feature which allows the export of user data (username, real name, email address and user groups) as a CSV file. On the registration page, it is possible for an attacker to set certain values in the Real Name field that – when exported and opened with a spreadsheet application (Microsoft Excel, Open Office, etc.) – will be interpreted as a formula. --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/dokuwiki-csv-formula-injecti… ∗∗∗ VMSA-2018-0023: AirWatch Agent and VMware Content Locker updates resolve data protection vulnerabilities ∗∗∗ --------------------------------------------- * The AirWatch Agent for iOS devices contains a data protection vulnerability whereby the files and keychain entries in the Agent are not encrypted. CVE-2018-6975 * The VMware Content Locker for iOS devices contains a data protection vulnerability in the SQLite database. This vulnerability relates to unencrypted filenames and associated metadata in SQLite database for the Content Locker. CVE-2018-6976 --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0023.html ∗∗∗ Vulnerability Spotlight: TALOS-2018-0560 - ERPNext SQL Injection Vulnerabilities ∗∗∗ --------------------------------------------- Talos is disclosing multiple SQL injection vulnerabilities in the Frappe ERPNext Version 10.1.6 application. Frappe ERPNext is an open-source enterprise resource planning (ERP) cloud application. These vulnerabilities enable an attacker to bypass authentication and get unauthenticated access to sensitive data. An attacker can use a normal web browser to trigger these vulnerabilities — no special tools are required. --------------------------------------------- https://blog.talosintelligence.com/2018/09/vulnerability-spotlight-talos-20… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, gdm3, git-annex, lcms2, and sympa), Fedora (discount, dolphin-emu, gd, obs-build, osc, tcpflow, and yara), openSUSE (wireshark), Slackware (curl, firefox, ghostscript, and thunderbird), SUSE (apache-pdfbox, curl, dovecot22, and libvirt), and Ubuntu (libtirpc). --------------------------------------------- https://lwn.net/Articles/764300/ ∗∗∗ IBM Security Bulletin: Vulnerabilities in Kerberos affect Power Hardware Management Console (CVE-2017-11368, CVE-2017-7562) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10717893 ∗∗∗ IBM Security Bulletin: IBM Lotus Protector for Mail Security has released fixes in response to the public disclosed vulnerability from PHP ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10719483 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Oracle Outside In Technology Affect IBM WebSphere Portal (CVE-2018-2768, CVE-2018-2801, CVE-2018-2806) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10715935 ∗∗∗ IBM Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2018-1567) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22016254 ∗∗∗ Apache Tomcat vulnerability CVE-2018-8034 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34468163 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2018
by Daily end-of-shift report 05 Sep '18

05 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-09-2018 18:00 − Mittwoch 05-09-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Verschlüsselung: NSA-Chiffre Speck fliegt aus dem Linux-Kernel ∗∗∗ --------------------------------------------- Mit der NSA-Chiffre Speck wollte Google ursprünglich den Speicher von Low-End-Android-Smartphones verschlüsseln, doch nun hat das Unternehmen seine Unterstützung dafür zurückgezogen. Die umstrittene Verschlüsselung wird deshalb wieder aus dem Linux-Kernel entfernt. (Linux-Kernel, Verschlüsselung) --------------------------------------------- https://www.golem.de/news/verschluesselung-nsa-chiffre-speck-fliegt-aus-dem… ∗∗∗ Multiple Remote Code-Execution Flaws Patched in Opsview Monitor ∗∗∗ --------------------------------------------- Five flaws were disclosed Tuesday in monitoring software Opsview Monitor. --------------------------------------------- https://threatpost.com/multiple-remote-code-execution-flaws-patched-in-opsv… ∗∗∗ WordPress Database Upgrade Phishing Campaign ∗∗∗ --------------------------------------------- We have recently been notified of phishing emails that target WordPress users. The content informs site owners that their database requires an update and looks like this: The email’s appearance resembles that of a legitimate WordPress update message, however the content includes typos and uses an older messaging style. Another suspicious item in the content is the deadline. --------------------------------------------- https://blog.sucuri.net/2018/09/wordpress-database-upgrade-phishing-campaig… ∗∗∗ PowerPool malware exploits ALPC LPE zero-day vulnerability ∗∗∗ --------------------------------------------- Malware from newly uncovered group PowerPool exploits zero-day vulnerability in the wild, only two days after its disclosure --------------------------------------------- https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-d… ∗∗∗ Lets Trade: You Read My Email, Ill Read Your Password! ∗∗∗ --------------------------------------------- Its been a while, but my last few posts have been on password spraying, which is great approach if your customer has an userid / password interface that faces the internet. I also ran a walk-through on using responder and LLMNR. But what if you are on the outside, and your customer is wise enough to front all of those interfaces with two-factor authentication, or mutual certificate authentication? --------------------------------------------- https://isc.sans.edu/forums/diary/Lets+Trade+You+Read+My+Email+Ill+Read+You… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#598349: Problems with automatic DNS registration and autodiscovery ∗∗∗ --------------------------------------------- Problems with automatic DNS registration and autodiscovery. If an attacker with access to the network adds a malicious device to the network with the name WPAD, such an attacker may be able to utilize DNS autoregistration and autodiscovery to act as a proxy for victims on the network, resulting in a loss of confidentiality and [...] --------------------------------------------- http://www.kb.cert.org/vuls/id/598349 ∗∗∗ Opto22 PAC Control Basic and PAC Control Professional ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for a stack-based buffer overflow vulnerability in Opto22s PAC Control software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-247-01 ∗∗∗ Android Security Bulletin - September 2018 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. [...] The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2018-09-01 ∗∗∗ (0Day) Cisco WebEx Network Recording Player Improper Access Control Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on vulnerable installations of Cisco WebEx Network Recording Player. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-18-998/ ∗∗∗ Remote Code Execution Vulnerabilities in WECON LeviStudioU ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-989/ http://www.zerodayinitiative.com/advisories/ZDI-18-990/ http://www.zerodayinitiative.com/advisories/ZDI-18-991/ http://www.zerodayinitiative.com/advisories/ZDI-18-992/ http://www.zerodayinitiative.com/advisories/ZDI-18-993/ http://www.zerodayinitiative.com/advisories/ZDI-18-994/ http://www.zerodayinitiative.com/advisories/ZDI-18-995/ http://www.zerodayinitiative.com/advisories/ZDI-18-996/ http://www.zerodayinitiative.com/advisories/ZDI-18-997/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lcms2), openSUSE (yubico-piv-tool), Oracle (kernel), and SUSE (cobbler and kvm). --------------------------------------------- https://lwn.net/Articles/764182/ ∗∗∗ Synology-SA-18:52 Android Moments ∗∗∗ --------------------------------------------- A vulnerability allows man-in-the-middle attackers to execute arbitrary code via a susceptible version of Android Moments. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_52 ∗∗∗ Red Hat Gluster Storage Wed Administration, tendrl-api: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1790/ ∗∗∗ Red Hat Virtualization: Mehrere Schwachstellen ermöglichen u. a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1798/ ∗∗∗ cURL: Eine Schwachstelle ermöglicht u. a. einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1796/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180905-… ∗∗∗ Security Advisory - DoS Vulnerability in Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180905-… ∗∗∗ Python vulnerability CVE-2014-9365 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11068141 ∗∗∗ HPESBST03884 rev.1 - HPE ConvergedSystem 700 Solutions Using HPE 3PAR Service Processor, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2018
by Daily end-of-shift report 04 Sep '18

04 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Montag 03-09-2018 18:00 − Dienstag 04-09-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Thousands of Compromised MikroTik Routers Send Traffic to Attackers ∗∗∗ --------------------------------------------- Attackers compromising MikroTik routers have configured the devices to forward network traffic to a handful of IP addresses under their control. --------------------------------------------- https://www.bleepingcomputer.com/news/security/thousands-of-compromised-mik… ∗∗∗ New Banking Trojan Poses As A Security Module ∗∗∗ --------------------------------------------- A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-… ∗∗∗ Credit card gobbling code found piggybacking on ecommerce sites ∗∗∗ --------------------------------------------- Be careful! If crooks can upload malicious JavaScript to your ecommerce server, then youre helping the them rip off your own customers. --------------------------------------------- https://nakedsecurity.sophos.com/2018/09/04/credit-card-gobbling-code-found… ∗∗∗ You cant contain me! :: Analyzing and Exploiting an Elevation of Privilege Vulnerability in Docker for Windows ∗∗∗ --------------------------------------------- I have been continuing my journey of searching for windows breakout vulnerabilities in popular applications and one that I discovered in March I found interesting enough to share. Whilst kernel vulnerabilities are fun to discover, there are many core windows and third party applications that are fundamentally broken in regards to logic [...] --------------------------------------------- https://srcincite.io/blog/2018/08/31/you-cant-contain-me-analyzing-and-expl… ∗∗∗ Googles Doors Hacked Wide Open By Own Employee ∗∗∗ --------------------------------------------- Last July, in Google’s Sunnyvale offices, a hacker found a way to trick doors into opening without the requisite RFID keycard. Luckily for Google, it was David Tomaschik, an employee at the tech giant, who only had good intentions. --------------------------------------------- https://www.forbes.com/sites/thomasbrewster/2018/09/03/googles-doors-hacked… ∗∗∗ Erpressungstrojaner Gandcrab verbreitet sich über gefälschte Bewerbungsmails ∗∗∗ --------------------------------------------- Momentan sind vermehrt Fake-Bewerbungen als Mail in Umlauf, die einen gefährlichen Trojaner als Dateianhang haben. --------------------------------------------- http://heise.de/-4154167 ∗∗∗ Sicherheitsforscher warnt vor Browser-Angriffen auf dem Mac ∗∗∗ --------------------------------------------- Mittels URL-Schemata ist es unter macOS möglich, Programme zu aktivieren, die ein Nutzer nicht ausgelöst haben möchte. --------------------------------------------- http://heise.de/-4154059 ∗∗∗ Of ML and malware: What’s in store? ∗∗∗ --------------------------------------------- All things labeled Artificial Intelligence (AI) or Machine Learning (ML) are making waves, but talk of them in cybersecurity contexts often muddies the waters. A new ESET white paper sets out to bring some clarity to a subject where confusion often reigns supreme The post Of ML and malware: What’s in store? appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2018/09/04/ml-malware-whats-in-store/ ∗∗∗ Gefälschte Microsoft-Nachricht im Umlauf ∗∗∗ --------------------------------------------- Datendiebe versenden eine gefälschte Microsoft-Nachricht. Darin behaupten sie, dass das E-Mailkonto von Empfänger/innen gesperrt sei. Damit Nutzer/innen wieder auf ihr Postfach zugreifen können, sollen sie ihre Identität auf einer unbekannten Website bestätigen. Das führt zur Datenübermittlung an Kriminelle. Diese können dadurch Verbrechen unter dem Namen ihrer Opfer begehen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-microsoft-nachricht-im-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Lenovo Computer: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Es existiert eine Schwachstelle in Lenovo Computern mit Intel Prozessoren und Intel Optane Speichermodulen bezüglich der Festplattenverschlüsselung. Wenn die Optane Speichermodule konfiguriert werden, bevor die Festplattenverschlüsselung aktiviert wird, bleiben Teile des Speichers unverschlüsselt. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2018/09/warn… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (ImageMagick, libressl, postgresql10, spice, and spice-gtk), Red Hat (collectd, kernel, Red Hat Gluster Storage, Red Hat Virtualization, RHGS WA, rhvm-appliance, and samba), and SUSE (crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, kernel, spice, and spice-gtk). --------------------------------------------- https://lwn.net/Articles/764130/ ∗∗∗ Red Hat Gluster Storage, collectd: Zwei Schwachstellen ermöglichen Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1787/ ∗∗∗ Red Hat Gluster Storage, Samba: Mehrere Schwachstellen ermöglichen u. a. die Manipulation von Dateien ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1786/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2018
by Daily end-of-shift report 03 Sep '18

03 Sep '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-08-2018 18:00 − Montag 03-09-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CryptoNar Ransomware Discovered and Quickly Decrypted ∗∗∗ --------------------------------------------- This week a new CryptoJoker ransomware variant was discovered called CryptoNar that has infected victims. The good news, is that a free decryptor was quickly released so that these victims can get their files back for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discove… ∗∗∗ Kostenpflichtige Gratisproben von BeautyShop International ∗∗∗ --------------------------------------------- Konsument/innen bestellen von BeautyShop International Kosmetika als kostenlose Produktproben. Diese erhalten sie mit einer Rechnung von AB Commerce Collect. Bezahlen sie den geforderten Geldbetrag nicht, folgen hohe Mahnungen. Nachdem zwischen Konsument/innen und BeautyShop International kein kostenpflichtiger Vertrag zustande kommt, müssen sie den geforderten Betrag nicht bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/kostenpflichtige-gratisproben-von-be… ===================== = Vulnerabilities = ===================== ∗∗∗ [20180802] - Core - Stored XSS vulnerability in the frontend profile ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Low Versions: 1.5.0 through 3.8.11 Exploit type: XSS CVE Number: CVE-2018-15880 Inadequate output filtering on the user profile page could lead to a stored XSS attack. Affected Installs Joomla! CMS versions 1.5.0 through 3.8.11 Solution Upgrade to version 3.8.12 Contact The JSST at the Joomla! Security Centre. Reported By: Fouad Maakor --------------------------------------------- https://developer.joomla.org/security-centre/744-20180802-core-stored-xss-v… ∗∗∗ CA Release Automation Object Deserialization Error Lets Remote Users Execute Arbitrary Code on the Target System ∗∗∗ --------------------------------------------- Version(s): 6.3, 6.4, 6.5; possibly older versions Description: A vulnerability was reported in CA Release Automation. A remote user can execute arbitrary code on the target system. A remote user can send specially crafted data to trigger an object deserialization error and execute arbitrary code on the target system. --------------------------------------------- http://www.securitytracker.com/id/1041591 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dojo, libtirpc, mariadb-10.0, php5, ruby-json-jwt, spice, spice-gtk, tomcat8, and trafficserver), Fedora (ghc-hakyll, ghc-hs-bibutils, ghostscript, mariadb, pandoc-citeproc, phpMyAdmin, and xen), Mageia (java-1.8.0-openjdk, libarchive, libgd, libraw, libxcursor, mariadb, mercurial, openssh, openssl, poppler, quazip, squirrelmail, and virtualbox), openSUSE (cobbler, libressl, wireshark, and zutils), and SUSE (couchdb, java-1_7_0-ibm, java-1_7_1-ibm, spice). --------------------------------------------- https://lwn.net/Articles/764046/ ∗∗∗ Cisco: CPU Side-Channel Information Disclosure Vulnerabilities: August 2018 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Notice - Statement About the Vulnerability in Huawei B315s-22 Products Disclosed by Security Researcher ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2018/huawei-sn-20180903-01-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2018
by Daily end-of-shift report 31 Aug '18

31 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-08-2018 18:00 − Freitag 31-08-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Firework: Leveraging Microsoft Workspaces in a Penetration Test ∗∗∗ --------------------------------------------- WCX files can be used to configure a Microsoft Workplace on a system with a couple of clicks. The enrollment process could disclose credentials in the form of a NetNTLM hash. Authentication will either take place automatically on older [...] --------------------------------------------- https://trustwave.com/Resources/SpiderLabs-Blog/Firework--Leveraging-Micros… ∗∗∗ BEC fraud burgeoning despite training ∗∗∗ --------------------------------------------- Business email compromises (BEC) - commonly referred to as CEO Fraud because the CEOs identity is being impersonated - continues to grow and, more significantly, succeed due to the simplicity and urgency of the attacks, according to recent study from Barracuda of some 3,000 attacks. --------------------------------------------- https://www.scmagazine.com/bec-fraud-burgeoning-despite-training/article/79… ∗∗∗ John McAfees "unhackbares" Bitcoin-Wallet Bitfi gehackt – mehrmals ∗∗∗ --------------------------------------------- Zum wiederholten Male haben Sicherheitsforscher eigentlich geheime Passphrasen aus dem Bitcoin-Wallet Bitfi ausgelesen. --------------------------------------------- http://heise.de/-4152116 ∗∗∗ How We Micropatched a Publicly Dropped 0day in Task Scheduler (CVE-UNKNOWN) ∗∗∗ --------------------------------------------- [...] Earlier this week security researcher SandboxEscaper published details and proof-of-concept (POC) for a "0day" local privilege escalation vulnerability in Windows Task Scheduler service, which allows a local unprivileged user to change permissions of any file on the system - and thus subsequently replace or modify that file. As the researchers POC demonstrates, one can use this vulnerability [...] --------------------------------------------- https://blog.0patch.com/2018/08/how-we-micropatched-publicly-dropped.html ===================== = Vulnerabilities = ===================== ∗∗∗ Philips e-Alert Unit ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for numerous vulnerabilities in Phillips e-Alert Unit, a non-medical device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-242-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (389-ds-base, bind9, and squirrelmail), Fedora (dolphin-emu), openSUSE (libX11), SUSE (cobbler, GraphicsMagick, ImageMagick, liblouis, postgresql10, qemu, and spice), and Ubuntu (libx11). --------------------------------------------- https://lwn.net/Articles/763906/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2018
by Daily end-of-shift report 30 Aug '18

30 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-08-2018 18:00 − Donnerstag 30-08-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ What are botnets downloading? ∗∗∗ --------------------------------------------- Every day we intercept numerous file-download commands sent to bots of various types and families. Here we present the results of our botnet activity analysis for H2 2017 and H1 2018. --------------------------------------------- https://securelist.com/what-are-botnets-downloading/87658/ ∗∗∗ Crypto Mining Is More Popular Than Ever!, (Thu, Aug 30th) ∗∗∗ --------------------------------------------- We already wrote some diaries about crypto miners and they remain more popular than ever. Based on my daily hunting statistics, we can see that malicious scripts performing crypto mining operations .. --------------------------------------------- https://isc.sans.edu/diary/rss/24050 ∗∗∗ Kritische Lücke in der Klinik: Netzwerk-Gateways am Krankenbett angreifbar ∗∗∗ --------------------------------------------- Capsule-Netzwerkgeräte der Firma Qualcomm Life verbinden Geräte am Krankenbett mit dem Krankenhaus-Netzwerk. Hier klafft eine kritische Sicherheitslücke. --------------------------------------------- http://heise.de/-4151345 ∗∗∗ Intel entwickelt Spezial-Linux für sicherheitskritische Einsätze ∗∗∗ --------------------------------------------- Das Intel Safety Critical Project for Linux OS soll autonome Roboter, Drohnen und selbstfahrende Autos sicher machen. --------------------------------------------- http://heise.de/-4151374 ∗∗∗ Rocke: The Champion of Monero Miners ∗∗∗ --------------------------------------------- Cryptocurrency miners are becoming an increasingly significant part of the threat landscape. These malicious miners steal CPU cycles from compromised devices to mine .. --------------------------------------------- https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.… ∗∗∗ Cyberkriminalität - Schwedischer Wahlkampf vermehrt Cyberangriffen ausgesetzt ∗∗∗ --------------------------------------------- Gefälschte Social-Media-Accounts verbreiten vermehrt falsche Informationen --------------------------------------------- https://derstandard.at/2000086347410/Schwedischer-Wahlkampf-vermehrt-Cybera… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libx11), Fedora (bouncycastle, libxkbcommon, libzypp, nodejs, ntp, openssh, tomcat, xen, and zypper), Red Hat (ansible, kernel, and opendaylight), and SUSE (apache2, cobbler, ImageMagick, libtirpc, libzypp, zypper, and qemu). --------------------------------------------- https://lwn.net/Articles/763824/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - August 2018 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Bing Autosuggest API - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-058 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-058 ∗∗∗ Drupal Commerce - Moderately critical - Access bypass - SA-CONTRIB-2018-057 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-057 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2018
by Daily end-of-shift report 29 Aug '18

29 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-08-2018 18:00 − Mittwoch 29-08-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Active Attacks Detected Using Apache Struts Vulnerability CVE-2018-11776 ∗∗∗ --------------------------------------------- After last week a security researcher revealed a vulnerability in Apache Struts, a piece of very popular enterprise software, active exploitation attempts have started this week. --------------------------------------------- https://www.bleepingcomputer.com/news/security/active-attacks-detected-usin… ∗∗∗ OpenSSH Versions Since 2011 Vulnerable to Oracle Attack ∗∗∗ --------------------------------------------- OpenSSH continues to be vulnerable to oracle attacks, and the issue affects all versions of the suite since September 2011. Developers fixed a similar bug less than a week ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/openssh-versions-since-2011-… ∗∗∗ Loki Bot: On a hunt for corporate passwords ∗∗∗ --------------------------------------------- Starting in early July, we have seen malicious spam activity that has targeted corporate mailboxes. Messages .. --------------------------------------------- https://securelist.com/loki-bot-stealing-corporate-passwords/87595/ ∗∗∗ 3D Printers in The Wild, What Can Go Wrong?, (Wed, Aug 29th) ∗∗∗ --------------------------------------------- Richard wrote a quick diary yesterday about an interesting information that we received from one of our readers. It&#;x26;#;39;s about a huge amount of OctoPrint interfaces that are publicly facing the Internet. Octoprint[1] is a web interface for .. --------------------------------------------- https://isc.sans.edu/diary/rss/24044 ∗∗∗ PHP-Paket-Repository Packagist.org war für Schadcode anfällig ∗∗∗ --------------------------------------------- In der Webseite Packagist.org klaffte eine gefährliche Sicherheitslücke. Angreifer hätten mit vergleichsweise wenig Aufwand Schadcode ausführen können. --------------------------------------------- http://heise.de/-4149216 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4281 tomcat8 - security update ∗∗∗ --------------------------------------------- Several issues were discovered in the Tomcat servlet and JSPengine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak. --------------------------------------------- https://www.debian.org/security/2018/dsa-4281 ∗∗∗ Cisco Data Center Network Manager Path Traversal Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in Cisco Data Center Network Manager software could allow an authenticated, remote attacker to conduct directory traversal attacks and gain access to sensitive files on the targeted system.The vulnerability is due to improper validation of user requests within the management interface. An attacker could exploit this vulnerability by sending .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2018
by Daily end-of-shift report 28 Aug '18

28 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Montag 27-08-2018 18:00 − Dienstag 28-08-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitsforscher warnen vor kritischer Lücke in Windows ∗∗∗ --------------------------------------------- Eine neue Schwachstelle betrifft offenbar auch vollständig aktualisierte Windows-10-Computer. --------------------------------------------- https://futurezone.at/produkte/sicherheitsforscher-warnen-vor-kritischer-lu… ∗∗∗ Android-Smartphones durch AT-Modembefehle aus den 80ern angreifbar ∗∗∗ --------------------------------------------- Angreifer können neue Firmware flashen, Spionage betreiben und Android-Sicherheitsfunktionen deaktivieren. --------------------------------------------- http://heise.de/-4147013 ∗∗∗ Apache Struts: Exploit für kritische Lücke aufgetaucht ∗∗∗ --------------------------------------------- Admins von Webseiten, die Apache Struts nutzen, sollten dringendst prüfen, ob sie Updates für eine vor kurzem entdeckte Sicherheitslücke eingespielt haben. --------------------------------------------- http://heise.de/-4147203 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates available for Adobe Creative Cloud Desktop Application (APSB18-32) ∗∗∗ --------------------------------------------- https://blogs.adobe.com/psirt/?p=1602 ∗∗∗ [20180803] - Core - ACL Violation in custom fields ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/745-20180803-core-acl-violatio… ∗∗∗ [20180802] - Core - Stored XSS vulnerability in the frontend profile ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/744-20180802-core-stored-xss-v… ∗∗∗ [20180801] - Core - Hardening the InputFilter for PHAR stubs ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/743-20180801-core-hardening-th… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2018
by Daily end-of-shift report 27 Aug '18

27 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-08-2018 18:00 − Montag 27-08-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability ∗∗∗ --------------------------------------------- Researchers find proof-of-concept code that can take advantage of the recently identified Apache Struts framework (CVE-2018-11776) vulnerability. --------------------------------------------- https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnera… ∗∗∗ Password Protected Word Document Delivers HERMES Ransomware ∗∗∗ --------------------------------------------- Evading AV detection is part of a malware authors routine in crafting spam campaigns and an old and effective way of achieving this is spamming a password protected document. Recently, we observed such a .. --------------------------------------------- https://trustwave.com/Resources/SpiderLabs-Blog/Password-Protected-Word-Doc… ∗∗∗ Well, cant get hacked if your PC doesnt work... McAfee yanks BSoDing Endpoint Security patch ∗∗∗ --------------------------------------------- Dont install August update, world+dog warned McAfee has pulled a version of its Endpoint Security software after folks reported the antivirus software was crashing their .. --------------------------------------------- www.theregister.co.uk/2018/08/24/mcafee_blue_screen_of_death/ ∗∗∗ A new issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- Dear Reader! A new issue of our bi-monthly SWITCH Security Report is available! The topics covered in this report are: An own goal and serious foul: Spanish football league’s app turns 10 million users into involuntarily .. --------------------------------------------- https://securityblog.switch.ch/2018/08/27/a-new-issue-of-our-switch-securit… ∗∗∗ Schwachstelle Royale: Fortnite-Installer für Android offen für freies Nachladen ∗∗∗ --------------------------------------------- Bei der Android-Version von Fortnite Battle Royale umging Epic Games den Play Store und lieferte einen eigenen Installer – mit gravierender Sicherheitslücke. --------------------------------------------- http://heise.de/-4145876 ∗∗∗ Who’s Behind the Screencam Extortion Scam? ∗∗∗ --------------------------------------------- The sextortion email scam last month that invoked a real password used by each recipient and threatened to release embarrassing Webcam videos almost certainly was not the work of one criminal or even one group of criminals. Rather, its likely that additional spammers and scammers piled on with their own versions of the phishing email after .. --------------------------------------------- https://krebsonsecurity.com/2018/08/whos-behind-the-screencam-extortion-sca… ∗∗∗ Verschlüsselung - Wenn Paypal und Co plötzlich nicht mehr funktionieren ∗∗∗ --------------------------------------------- Mozilla und Google vertrauen Symantec-Zertifikaten in Entwicklungsversionen ihrer Browser nicht mehr --------------------------------------------- https://derstandard.at/2000086139348/Wenn-Paypal-und-Co-ploetzlich-nicht-me… ===================== = Vulnerabilities = ===================== ∗∗∗ Synology-SA-18:50 Drive ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain sensitive information via a susceptible version of Drive. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_50 ∗∗∗ File (Field) Paths - Critical - Remote Code Execution - SA-CONTRIB-2018-056 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2018-056 ∗∗∗ Multiple Cross Site Scripting on FortiCloud Web Interface Login ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-18-026 ∗∗∗ Forgot password link doesnt expire after use ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-18-074 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2018
by Daily end-of-shift report 24 Aug '18

24 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-08-2018 18:00 − Freitag 24-08-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Botnetz: Mirai-Malware gefährdet durch Cross-Compiling noch mehr Systeme ∗∗∗ --------------------------------------------- Eine neue Mirai-Variante kann mittels Aboriginal Linux nun u.a. auch Android- und Debian-Systeme infizieren und in ein Botnetz einspannen. --------------------------------------------- http://heise.de/-4144912 ∗∗∗ Warnung vor hoverboardmarkt.at ∗∗∗ --------------------------------------------- Auf hoverboardmarkt.at finden Konsument/innen stark rabattierte Hoverboards. Es ist unbekannt, wer den Online-Shop betreibt. Es zeigen sich weitere Auffälligkeiten bei dem Anbieter. Aus diesem Grund ist es am sichersten, wenn Konsument/innen nicht bei hoverboardmarkt.at einkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-hoverboardmarktat/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Virtual Appliances, L1 Terminal Fault (L1TF): Eine Schwachstelle ermöglicht das Ausspähen von Informationen ∗∗∗ --------------------------------------------- Ein lokaler, nicht authentisierter Angreifer kann diese Schwachstelle über einen Terminal Seitenfehler (Terminal Page Fault) ausnutzen, um in einem Seitenkanalangriff (Side-Channel Analysis) unautorisiert Informationen aus dem L1 Data Cache auszuspähen. Die Schwachstelle betrifft auch eine Reihe von VMware Produkten, unter anderem vCenter Server (vCSA) 6.0, 6.5 und 6.7 und vSphere Data Protection (VDP) 6.x. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1622/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel-headers), Mageia (bind, cgit, dpkg, sssd, and thunderbird), openSUSE (libXcursor and python-Django), Oracle (postgresql), Red Hat (postgresql), Scientific Linux (postgresql), SUSE (libreoffice, openssl, and xen), and Ubuntu (kernel, linux, linux-aws, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-lts-xenial, linux-aws, and spice, spice-protocol). --------------------------------------------- https://lwn.net/Articles/763429/ ∗∗∗ Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco TelePresence IX5000 Series and TelePresence TX9000 Series Cross-Frame Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: An Information Disclosure Vulnerability When Using the RememberMe feature affects WebSphere Commerce ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728829 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by multiple kernel vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728537 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM System Networking Switch Center (SNSC) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10729112 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Cognos Business Intelligence affect Rational Insight ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10719165 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Cognos Business Intelligence affect Rational Reporting for Development Intelligence ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ibm10719163 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2018
by Daily end-of-shift report 23 Aug '18

23 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-08-2018 18:00 − Donnerstag 23-08-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Intel erklärt Hardware-Schutz gegen Spectre- & Meltdown-Lücken ∗∗∗ --------------------------------------------- Kommende "Cascade Lake"-Xeons sind gegen Meltdown-Attacken unempfindlich und auch gegen viele Spectre-Attacken – aber Software-Patches bleiben nötig. --------------------------------------------- http://heise.de/-4144368 ∗∗∗ Tool - OpenSSH: Neue Version beseitigt 19 Jahre alte Lücke ∗∗∗ --------------------------------------------- War bereits in der allerersten Version der Software enthalten – Angreifer konnten Nutzernamen raten --------------------------------------------- https://derstandard.at/2000085926326/OpenSSH-Neue-Version-beseitigt-19-Jahr… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and tomcat-native), Fedora (axis, CuraEngine-lulzbot, nodejs, python-uranium-lulzbot, and sleuthkit), Gentoo (chromium, lxc, networkmanager-vpnc, and .. --------------------------------------------- https://lwn.net/Articles/763283/ ∗∗∗ Synology-SA-18:49 Ghostscript ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary commands via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM) when the AirPrint feature is enabled. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_49 ∗∗∗ Vuln: Multiple Symantec Products CVE-2018-5238 DLL Loading Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/105100 ∗∗∗ IBM Security Bulletin: Information disclosure in WebSphere Application Server Liberty (CVE-2018-1755) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10728689 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a remote command injection vulnerability (CVE-2018-1722) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10719623 ∗∗∗ IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL injection. (CVE-2018-1699) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10725805 ∗∗∗ Side-channel processor vulnerability CVE-2018-3693 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54252492 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2018
by Daily end-of-shift report 22 Aug '18

22 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-08-2018 18:00 − Mittwoch 22-08-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Android Triout Malware Can Record Phone Calls, Steal Pictures ∗∗∗ --------------------------------------------- Security researchers from Bitdefender have discovered a new Android malware strain named Triout that comes equipped with intrusive spyware capabilities, such as the ability to record phone calls and steal pictures taken with the device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-android-triout-malware-c… ∗∗∗ Unterkunft nicht bei benaco-ferienwohnungen.de buchen ∗∗∗ --------------------------------------------- Auf benaco-ferienwohunungen.de findet man günstige Unterkünfte am Gardasee. Die Inserate wurden jedoch zu betrügerischen Zwecken von echten Portalen kopiert. Die gebotenen Unterkünfte können nicht gebucht werden und Kunden werden um ihr Geld betrogen. --------------------------------------------- https://www.watchlist-internet.at/news/unterkunft-nicht-bei-benaco-ferienwo… ===================== = Vulnerabilities = ===================== ∗∗∗ Bislang kein Patch: Gefährliche Sicherheitslücken im PDF/Postscript-Interpreter Ghostscript ∗∗∗ --------------------------------------------- Angreifer könnten über Schwachstellen im weit verbreiteten Ghostscript-Interpreter Schadcode ausführen. Derzeit gibt es nur einen Workaround zum Schutz. --------------------------------------------- http://heise.de/-4143153 ∗∗∗ Kritische Sicherheitslücke in Apache Struts 2 - Patches verfügbar ∗∗∗ --------------------------------------------- Es wurde eine kritische Sicherheitslücke in Apache Struts 2 gefunden, die schwerwiegende Folgen für die Sicherheit von Webservern, die dieses Framework einsetzen, haben kann. --------------------------------------------- http://www.cert.at/warnings/all/20180822.html ∗∗∗ Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades ∗∗∗ --------------------------------------------- A vulnerability affects all versions of the OpenSSH client released in the past two decades, ever since the application was released in 1999. [...] This bug allows a remote attacker to guess the usernames registered on an OpenSSH server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vulnerability-affects-all-op… ∗∗∗ Philips IntelliVue Information Center iX ∗∗∗ --------------------------------------------- This medical device advisory includes mitigation recommendations for a resource exhaustion vulnerability in Philips IntelliVue Information Center iX real-time central monitoring system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-233-01 ∗∗∗ Yokogawa iDefine, STARDOM, ASTPLANNER, and TriFellows ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for stack-based buffer overflow vulnerabilities in Yokogawas iDefine, STARDOM, ASTPLANNER, and TriFellows products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-233-01 ∗∗∗ PMASA-2018-5 ∗∗∗ --------------------------------------------- A Cross-Site Scripting vulnerability was found in the file import feature, where an attacker can deliver a payload to a user through importing a specially-crafted file. Assigned CVE ids: CVE-2018-15605 --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2018-5/ ∗∗∗ Adobe Photoshop CC: Zwei Schwachstellen ermöglichen das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- Zwei Schwachstellen in Adobe Photoshop CC 2017 18.1.5 und CC 2018 19.1.5 sowie den jeweils früheren Versionen für Windows und macOS ermöglichen einem entfernten, nicht authentisierten Angreifer die Ausführung beliebigen Programmcodes im Sicherheitskontext des aktiven Benutzers. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1697/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssh and otrs2), Fedora (gifsicle, lighttpd, quazip, and samba), Red Hat (openstack-keystone), Scientific Linux (mutt), Slackware (libX11), SUSE (gtk2, ImageMagick, libcgroup, and libgit2), and Ubuntu (base-files). --------------------------------------------- https://lwn.net/Articles/763157/ ∗∗∗ IBM Security Bulletin: Vulnerabilities in GSKit affects IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10726077 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016774 ∗∗∗ IBM Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for UNIX ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10726081 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a vulnerability in IBM WebSphere Application Server (CVE-2017-1788) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728345 ∗∗∗ IBM Security Bulletin: IBM WebSphere Commerce Aurora Storefront Could Allow an Open Redirect Attack (CVE-2018-1739) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10725439 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by NTP vulnerabilities (CVE-2017-6462, CVE-2017-6463, CVE-2017-6464) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728215 ∗∗∗ IBM Security Bulletin: IBM Tivoli Access Manager for e-business and IBM Security Access Manager releases are affected by a Kerberos vulnerability (CVE-2017-11462) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015092 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2018
by Daily end-of-shift report 21 Aug '18

21 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Montag 20-08-2018 18:00 − Dienstag 21-08-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ USB-Kabel können Computer mit Trojanern infizieren ∗∗∗ --------------------------------------------- Sicherheitsforschern ist es gelungen, USB-Ladekabel so zu modifizieren, dass sie Trojaner einschleusen können. --------------------------------------------- https://futurezone.at/produkte/usb-kabel-koennen-computer-mit-trojanern-inf… ∗∗∗ TLS developers should ditch pseudo constant time crypto processing ∗∗∗ --------------------------------------------- Fixes for Lucky 13-type bugs could still be vulnerable More than five years after cracks started showing in the Transport Layer Security (TLS) network crypto protocol, the author of the "Lucky 13" attack has poked holes in the fixes .. --------------------------------------------- www.theregister.co.uk/2018/08/21/tls_developers_should_ditch_pseudo_constan… ∗∗∗ Microsoft: Russische Hacker nehmen Trump-kritische Republikaner ins Visier ∗∗∗ --------------------------------------------- Im Kampf gegen mutmaßlich russische Hacker hat Microsoft weitere Erfolge verkündet: Für Phising-Angriffe auf Republikaner nutzbare Domains wurden entschärft. --------------------------------------------- http://heise.de/-4142219 ∗∗∗ How often are users’ DNS queries intercepted? ∗∗∗ --------------------------------------------- A group of Chinese researchers wanted to find out just how widespread DNS interception is and has presented the result of their large-scale study to the audience at the Usenix Security Symposium last week. The problem Most Internet connections are preceded by a DNS address lookup request, as the Domain Name System (DNS) “translates” .. --------------------------------------------- https://www.helpnetsecurity.com/2018/08/21/dns-interception/ ∗∗∗ The enemy is us: a look at insider threats ∗∗∗ --------------------------------------------- It could be the engineer in the IT department, the janitor mopping the lobby, one of the many managers two floors up, or the contractor who’s been in and out the office for weeks now. Or, maybe it could be you. It .. --------------------------------------------- https://blog.malwarebytes.com/101/2018/08/the-enemy-is-us-a-look-at-insider… ∗∗∗ Darkhotel APT is back: Zero-day vulnerability in Microsoft VBScript is exploited ∗∗∗ --------------------------------------------- VBScript is available in the latest versions of Windows and Internet Explorer 11. However, Microsoft disabled VBScript execution in the latest version of Windows .. --------------------------------------------- https://blog.360totalsecurity.com/en/darkhotel-apt-is-back-zero-day-vulnera… ∗∗∗ Skype - Skype führt "Ende-zu-Ende-Verschlüsselung" ein ∗∗∗ --------------------------------------------- Die Verschlüsselung ist allerdings nicht automatisch aktiviert --------------------------------------------- https://derstandard.at/2000085764456/Skype-fuehrt-Ende-zu-Ende-Verschluesse… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4279 linux - security update ∗∗∗ --------------------------------------------- Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw .. --------------------------------------------- https://www.debian.org/security/2018/dsa-4279 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2018
by Daily end-of-shift report 20 Aug '18

20 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-08-2018 18:00 − Montag 20-08-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The Week in Ransomware - August 17th 2018 - Princess Evolution & Dharma ∗∗∗ --------------------------------------------- The biggest news was the release of the Princess Evolution RaaS and a new variant of the Dharma ransomware utilizing the .cmb extension for encrypted files. Otherwise, it was mostly small variants released that will not likely have many victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-augus… ∗∗∗ New Fox Ransomware Matrix Variant Tries Its Best to Close All File Handles ∗∗∗ --------------------------------------------- A new variant of the Matrix Ransomware has been discovered that is renaming encrypted files and then appending the .FOX extension to the file name. Of particular interest, this ransomware could have the most exhaustive process of making sure each and every file is not opened and available for encrypting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fox-ransomware-matrix-va… ∗∗∗ New "Turning Tables" Technique Bypasses All Windows Kernel Mitigations ∗∗∗ --------------------------------------------- Security researchers have discovered a new exploitation technique that they say can bypass the kernel protection measures present in the Windows operating systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-turning-tables-technique… ∗∗∗ Malspam Campaign Targets Banks Using Microsoft Publisher ∗∗∗ --------------------------------------------- Its very unusual for malware authors to utilize publishing software like Microsoft Publisher which is mainly used for fancy documents and desktop publishing tasks. So when we saw an email sample with a .pub attachment (Microsoft Office Publisher file) and [...] --------------------------------------------- https://www.trustwave.com/Resources/SpiderLabs-Blog/Malspam-Campaign-Target… ∗∗∗ Fake Plugins with Popuplink.js Redirect to Scam Sites ∗∗∗ --------------------------------------------- Since July, we've been observing a massive WordPress infection that is responsible for unwanted redirects to scam and ad sites. This infection involves the tiny.cc URL shortener, a fake plugin that has been called either "index" or "wp_update", and a malicious popuplink.js file. --------------------------------------------- https://blog.sucuri.net/2018/08/fake-plugins-with-popuplink-js-redirect-to-… ∗∗∗ Fax-Lücke in HP-Druckern: Mac-Nutzer weiter angreifbar ∗∗∗ --------------------------------------------- Firmware-Updates für eine schwere Lücke in seinen Multifunktionsdruckern liefert Hewlett-Packard zum Teil nur für Windows. Es gibt aber Abhilfe. --------------------------------------------- http://heise.de/-4141384 ∗∗∗ Firefox-Add-on "Web Security": Entwickler räumen Fehler ein ∗∗∗ --------------------------------------------- Das Firefox-Add-on "Web Security" sammelte zu viele Daten und übertrug sie unverschlüsselt. Das war ein Fehler, räumen die Entwickler ein und geloben Besserung. --------------------------------------------- http://heise.de/-4141593 ∗∗∗ Banker Trojan, "TrickBot", is preparing for the next global outbreak by using new techniques ∗∗∗ --------------------------------------------- Recently, 360 Security Center detected a new variant of "TrickBot" banker Trojan. Compared to the previous "TrickBot", the functions of the latest "TrickBot" are all [...] --------------------------------------------- https://blog.360totalsecurity.com/en/banker-trojan-trickbot-is-preparing-fo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (confuse, jetty9, kamailio, kernel, libxcursor, and mutt), Fedora (blktrace, docker-latest, libgit2, and yubico-piv-tool), Mageia (chromium-browser-stable, flash-player-plugin, kernel, kernel-linus, kernel-tmb, microcode, openslp, and wpa_supplicant), openSUSE (apache2, curl, GraphicsMagick, perl-Archive-Zip, and xen), Oracle (kernel and mariadb), Red Hat (rh-postgresql95-postgresql), Slackware (ntp and samba), SUSE (apache2, curl, kernel, [...] --------------------------------------------- https://lwn.net/Articles/763045/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016776 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a systemd vulnerability (CVE-2018-1049) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10728209 ∗∗∗ Linux kernel vulnerability (FragmentSmack) CVE-2018-5391 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74374841 ∗∗∗ HPESBHF03850 rev.5 - Certain HPE Products using Intel-based Processors, Local Disclosure of Information, Speculative Execution Side Channel Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2018
by Daily end-of-shift report 17 Aug '18

17 Aug '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-08-2018 18:00 − Freitag 17-08-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PHP Deserialization Issue Left Unfixed in WordPress CMS ∗∗∗ --------------------------------------------- WordPress CMS installations are vulnerable to a PHP bug related to data unserialization (also known as deserialization), a security researcher has revealed at the start of the month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/php-deserialization-issue-le… ∗∗∗ New Trickbot Variant Touts Stealthy Code-Injection Trick ∗∗∗ --------------------------------------------- Trickbot is back, this time with a stealthy code injection trick. --------------------------------------------- https://threatpost.com/new-trickbot-variant-touts-stealthy-code-injection-t… ∗∗∗ Highly Flexible Marap Malware Enters the Financial Scene ∗∗∗ --------------------------------------------- A new downloader, which has been spotted in an array of recent email campaigns, uses anti-analysis techniques and calls in a system fingerprinting module. --------------------------------------------- https://threatpost.com/highly-flexible-marap-malware-enters-the-financial-s… ∗∗∗ Anti-Coinminer Mining Campaign ∗∗∗ --------------------------------------------- Coinminer malware has been on the rise for some time. As more and more users become aware of this threat and try to take measures to protect themselves, cybercriminals are attempting to cash on that fear by serving crypto-miner malware from a website claiming to offer a coinminer blocker. --------------------------------------------- https://www.zscaler.com/blogs/research/anti-coinminer-mining-campaign ∗∗∗ Detecting SSH Username Enumeration ∗∗∗ --------------------------------------------- A very quick post about a new thread which has been started yesterday on the OSS-Security mailing list. It's about a vulnerability affecting almost ALL SSH server version. --------------------------------------------- https://blog.rootshell.be/2018/08/16/detecting-ssh-username-enumeration/ ∗∗∗ Arbitrary, Unsigned Code Execution Vector in Microsoft.Workflow.Compiler.exe ∗∗∗ --------------------------------------------- Microsoft.Workflow.Compiler.exe, a utility included by default in the .NET framework, permits the execution of arbitrary, unsigned code by supplying a serialized workflow in the form of a XOML workflow file (dont worry. I had no clue what that was either) and an XML file consisting of serialized compiler arguments. --------------------------------------------- https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-mic… ∗∗∗ Back to the 90s: FragmentSmack ∗∗∗ --------------------------------------------- As we had the previous week SegmentSmack (CVE-2018-5390) allowing remote DoS attacks by sending crafted TCP packets, this week a similar vulnerability has been reported on IP fragments. --------------------------------------------- https://isc.sans.edu/forums/diary/Back+to+the+90s+FragmentSmack/23998/ ===================== = Vulnerabilities = ===================== ∗∗∗ Philips PageWriter TC10, TC20, TC30, TC50, and TC70 Cardiographs ∗∗∗ --------------------------------------------- This medical device advisory includes mitigation recommendations for improper input validation and use of hard-coded credentials vulnerabilities in Philips PageWriter Cardiographs. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-228-01 ∗∗∗ Emerson DeltaV DCS Workstations ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for uncontrolled search path element, relative path traversal, improper privilege management, and stack-based buffer overflow vulnerabilities in Emersons Delta V workstations. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-228-01 ∗∗∗ Tridium Niagara ∗∗∗ --------------------------------------------- This advisory was originally posted to the HSIN ICS-CERT library on July 10, 2018, and is being released to the NCCIC/ICS-CERT website. This advisory includes mitigation recommendations for path traversal and improper authentication vulnerabilities in Tridums Niagara systems. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-191-03 ∗∗∗ WAGO 750-8xx Controller Denial of Service ∗∗∗ --------------------------------------------- The 750-8xx controller are susceptible to a Denial-of-Service attack due to a flood of network packets. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2018-013 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode, keystone, php-horde-image, and xen), Fedora (rsyslog), openSUSE (apache2, clamav, kernel, php7, qemu, samba, and Security), Oracle (mariadb and qemu-kvm), Red Hat (docker, mariadb, and qemu-kvm), Scientific Linux (mariadb and qemu-kvm), SUSE (GraphicsMagick, kernel, kgraft, mutt, perl-Archive-Zip, python, and xen), and Ubuntu (postgresql-10, postgresql-9.3, postgresql-9.5, procps, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/762914/ ∗∗∗ Jenkins: Mehrere Schwachstellen ermöglichen u. a. Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1645/ ∗∗∗ Red Hat JBoss Core Services Apache HTTP Server: Mehrere Schwachstellen ermöglichen u. a. verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1673/ ∗∗∗ Red Hat JBoss Web Server: Mehrere Schwachstellen ermöglichen das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1674/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ibm10719653 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=ibm10713739 ∗∗∗ BIG-IP APM client for Linux and macOS X vulnerabilitiy CVE-2018-5546 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54431371 ∗∗∗ BIG-IP APM client for Windows vulnerability CVE-2018-5547 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10015187 ∗∗∗ BIG-IP APM client for Linux and macOS vulnerabilitiy CVE-2018-5546 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54431371 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily