- Daily - CERT.at

Tageszusammenfassung - 09.05.2019
by Daily end-of-shift report 09 May '19

09 May '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-05-2019 18:00 − Donnerstag 09-05-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Samsung: Forscher konnte auf Entwicklungsumgebung zugreifen ∗∗∗ --------------------------------------------- Zugangsdaten, Zertifikate, Tokens, Schlüssel und Quellcode: Ein Sicherheitsforscher fand eine öffentlich zugängliche Gitlab-Installation von Samsung - und hätte selbst den Softwarecode ändern können. --------------------------------------------- https://www.golem.de/news/samsung-forscher-konnte-auf-entwicklungsumgebung-… ∗∗∗ Eggheads confirm: Rampant Android bloatware a privacy and security hellscape ∗∗∗ --------------------------------------------- Bundled software not just an annoyance, its also a risk The apps bundled with many Android phones are presenting threats to security and privacy greater than most users think. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2019/05/09/android_blo… ∗∗∗ Ongoing Credit Card Data Leak ∗∗∗ --------------------------------------------- Our DNSMon flagged an abnormal domain name magento-analytics[.]com, through continuous tracking, and correlation with various data, we found out that the domain name has been used to inject malicious JS script to various online shopping sites to steal the credit card owner / card number / expiration time / CVV information. --------------------------------------------- https://blog.netlab.360.com/ongoing-credit-card-data-leak/ ∗∗∗ Kritische Lücke: Docker-Images von Alpine Linux mit Root-Zugang ohne Passwort ∗∗∗ --------------------------------------------- Einige Versionen der offiziellen Docker-Images von Alpine Linux erlaubten das Einloggen als root mit leerem Passwortfeld. Jetzt ist das Problem behoben. --------------------------------------------- https://heise.de/-4418636 ∗∗∗ Vulnerabilities in financial mobile apps put consumers and businesses at risk ∗∗∗ --------------------------------------------- It’s good to know that your bank’s website boasts that little green padlock, promotes secure communication, and follows a two-factor authentication (2FA) scheme. But are their mobile apps equally secure? --------------------------------------------- https://blog.malwarebytes.com/101/2019/05/vulnerabilities-in-financial-mobi… ∗∗∗ Vulnerability Spotlight: Remote code execution bug in SQLite ∗∗∗ --------------------------------------------- SQLite contains an exploitable use-after-free vulnerability that could allow an attacker to gain the ability to remotely execute code on the victim machine. --------------------------------------------- https://blog.talosintelligence.com/2019/05/vulnerability-spotlight-remote-c… ∗∗∗ Finger weg von elektriker-mg.at ∗∗∗ --------------------------------------------- Beauftragen Sie elektriker-mg.at besser nicht bei Problemen, denn dieses Unternehmen ist betrügerisch. elektriker-mg.at wirbt auf seiner Website damit, 24 Stunden am Tag und 365 Tage im Jahr verfügbar und innerhalb kürzester Zeit bei Ihnen zu sein. Das freundliche Lächeln des Elektrikers trügt: Sie werden um viel Geld betrogen und Ihr Schaden wird nicht behoben! --------------------------------------------- https://www.watchlist-internet.at/news/finger-weg-von-elektriker-mgat/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (drupal7, exiv2, filezilla, and libfilezilla), openSUSE (gnutls, GraphicsMagick, hostinfo, supportutils, and ovmf), Scientific Linux (flatpak and ghostscript), SUSE (mutt and samba), and Ubuntu (Monit). --------------------------------------------- https://lwn.net/Articles/787943/ ∗∗∗ Phar Vulnerabilities Patched in Drupal, TYPO3 ∗∗∗ --------------------------------------------- Updates released this week for the Drupal and TYPO3 open source content management systems (CMSs) patch vulnerabilities related to how Phar archives are handled. The Phar (PHP Archive) package format enables developers to place all the files of a PHP application inside a single archive. --------------------------------------------- https://www.securityweek.com/phar-vulnerabilities-patched-drupal-typo3 ∗∗∗ Kaspersky Anti-Virus: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0387 ∗∗∗ IBM Security Bulletin: Cross-site scripting in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4204) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM DataPower Gateway is affected by a message spoofing vulnerability (CVE-2019-6110) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-datapower-gateway… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Cloud App Management V2018 could allow an attacker to obtain sensitive configuration information ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-open… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Cloud App Management V2018.4.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulnerability in Apache Tomcat could affect IBM Cloud App Management V2018 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ap… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential cross-site request forgery vulnerability (CVE-2018-1790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2019
by Daily end-of-shift report 08 May '19

08 May '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-05-2019 18:00 − Mittwoch 08-05-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hacker gesucht: "Auch Zehnjährige verstehen, was ein sicheres Passwort ist" ∗∗∗ --------------------------------------------- Ab sofort werden im Rahmen der Cyber Security Challenge wieder die besten Hacker Österreichs gesucht. --------------------------------------------- https://futurezone.at/digital-life/hacker-gesucht-auch-zehnjaehrige-versteh… ∗∗∗ Biometric Authentication Overview, Advantages & Disadvantages [Updated 2019] ∗∗∗ --------------------------------------------- What is biometric authentication? Biometric authentication is simply the process of verifying your identity using your measurements or other unique characteristics of your body, then logging you in a service, an app, a device and so on. What’s complicated is the technology behind it, so let’s see how it works. --------------------------------------------- https://heimdalsecurity.com/blog/biometric-authentication/ ∗∗∗ Researchers’ Evil Clippy cloaks malicious Office macros ∗∗∗ --------------------------------------------- A team of security researchers has exploited Microsoft’s patchy macro documentation to hide malicious code inside innocent-looking macros. --------------------------------------------- https://nakedsecurity.sophos.com/2019/05/08/researchers-cloak-malicious-off… ∗∗∗ Unternehmen aufgepasst: Bewerbungen mit Schadsoftware in Umlauf ∗∗∗ --------------------------------------------- Generisch gehaltene Mails mit dem Betreff „Bewerbung für Ihre Stellenausschreibung“ werden momentan von Kriminellen verbreitet. Die Nachrichten enthalten ein passwortgeschütztes und somit verschlüsseltes Word-Dokument. Das dazugehörige Passwort ist in der Mail zu finden. Empfänger/innen dürfen den Anhang nicht öffnen. Er enthält Schadsoftware! --------------------------------------------- https://www.watchlist-internet.at/news/unternehmen-aufgepasst-bewerbungen-m… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Elastic Services Controller REST API Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the REST API of Cisco Elastic Services Controller (ESC) could allow an unauthenticated, remote attacker to bypass authentication on the REST API.The vulnerability is due to improper validation of API requests. An attacker could exploit this vulnerability by sending a crafted request to the REST API. A successful exploit could allow the attacker to execute arbitrary actions through the REST API with administrative privileges on an affected system. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, kernel, linux-zen, munin, nautilus, perl-email-address, and tcpreplay), Debian (atftp), Fedora (perl-YAML and teeworlds), Mageia (java-1.8.0-openjdk, ldb, libsolv, and putty/filezilla/wxgtk), openSUSE (freeradius-server, libjpeg-turbo, pacemaker, rubygem-actionpack-5_1, wpa_supplicant, and yubico-piv-tool), Red Hat (chromium-browser, container-tools:rhel8, edk2, firefox, flatpak, ghostscript, httpd:2.4, mod_auth_mellon, openwsman, [...] --------------------------------------------- https://lwn.net/Articles/787842/ ∗∗∗ [20190502] - Core - By-passing protection of Phar Stream Wrapper Interceptor ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/vyaXtvewK3I/781-20190502-c… ∗∗∗ [20190501] - Core - XSS in com_users ACL debug views ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/xio2qb8Db2U/780-20190501-c… ∗∗∗ TYPO3-PSA-2019-008: By-passing protection of Phar Stream Wrapper Interceptor ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2019-008/ ∗∗∗ TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2019-007/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Session Management vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-session-management-vu… ∗∗∗ IBM Security Bulletin: Potential CSV injection threat affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-4071) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-csv-injecti… ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by a Spring Framework vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: Potential denial of service in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-denial-of-s… ∗∗∗ IBM Security Bulletin: IBM MQ Advanced Cloud Pak is vulnerable to a buffer overflow in the curl command (CVE-2018-16842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-advanced-cloud… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Planning ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Security vulnerabilities have been identified in IBM Java Runtime and the microcode shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2019
by Daily end-of-shift report 07 May '19

07 May '19

===================== = End-of-Day report = ===================== Timeframe: Montag 06-05-2019 18:00 − Dienstag 07-05-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Confluence Servers Hacked to Install Miners and Rootkits ∗∗∗ --------------------------------------------- After getting pounded with ransomware and malware for deploying distributed denial-of-service (DDoS) attacks, unpatched Confluence servers are now compromised to mine for cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/confluence-servers-hacked-to… ∗∗∗ "7 Tips For Planning ICS Plant Visits" ∗∗∗ --------------------------------------------- As you plan the next visit to your ICS plant(s) with your security team, consider these seven tips. They will maximize time on-site for accurate asset identification, effective cybersecurity awareness that will foster IT and OT relationships for smooth ICS incident response, and highlight new ways to ethically hack your digital and physical security perimeter. --------------------------------------------- http://ics.sans.org/blog/2019/05/06/7-tips-for-planning-ics-plant-visits ∗∗∗ Entschlüsselungstool für Erpressungstrojaner MegaLocker/NamPoHyu verfügbar ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein Gratis-Entschlüsselungstool für eine aktuelle Ransomware veröffentlicht. Der Malware-Entwickler findet das gar nicht witzig. --------------------------------------------- https://heise.de/-4415835 ∗∗∗ Turla LightNeuron: An email too far ∗∗∗ --------------------------------------------- ESET research uncovers Microsoft Exchange malware remotely controlled via steganographic PDF and JPG email attachments --------------------------------------------- https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/ ∗∗∗ WordPress GraphQL plugin exploit ∗∗∗ --------------------------------------------- Third-party plugins are often the security Achilles heel of Content Management Systems (CMS). It seems like not a month goes by without one security researcher or another uncovers a vulnerability in a plugin, undermining the security of the whole platform. --------------------------------------------- https://www.pentestpartners.com/security-blog/wordpress-graphql-plugin-expl… ∗∗∗ Surge of MegaCortex ransomware attacks detected ∗∗∗ --------------------------------------------- New MegaCortex ransomware strain detected targeting the enterprise sector. --------------------------------------------- https://www.zdnet.com/article/sudden-surge-of-megacortex-ransomware-infecti… ∗∗∗ WordPress finally gets the security features a third of the Internet deserves ∗∗∗ --------------------------------------------- WordPress 5.2 released with support for cryptographically-signed updates, a modern cryptographic library. --------------------------------------------- https://www.zdnet.com/article/wordpress-finally-gets-the-security-features-… ===================== = Vulnerabilities = ===================== ∗∗∗ [20190501] - Core - XSS in com_users ACL debug views ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 1.7.0 through 3.9.5 Exploit type: XSS Reported Date: 2019-April-29 Fixed Date: 2019-May-07 CVE Number: CVE-2019-11809 Description The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector. Affected Installs Joomla! CMS versions 1.7.0 through 3.9.5 Solution Upgrade to version 3.9.6 Contact The JSST at the Joomla! Security Centre. Reported By: Jose Antonio --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/xio2qb8Db2U/780-20190501-c… ∗∗∗ Android Security Bulletin - May 2019 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2019-05-01.html ∗∗∗ USN-3969-1: wpa_supplicant and hostapd vulnerability ∗∗∗ --------------------------------------------- wpa vulnerabilityA security issue affects these releases of Ubuntu and its derivatives:Ubuntu 19.04Ubuntu 18.10Ubuntu 18.04 LTSUbuntu 16.04 LTSSummarywpa_supplicant and hostapd could be made to crash if they receivedspecially crafted network traffic. --------------------------------------------- https://usn.ubuntu.com/3969-1/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (389-ds-base, firefox-esr, and symfony), Fedora (poppler), SUSE (audit, ovmf, and webkit2gtk3), and Ubuntu (aria2, FFmpeg, gnome-shell, and sudo). --------------------------------------------- https://lwn.net/Articles/787732/ ∗∗∗ Security Bulletins for TYPO3 CMS ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories/typo3-cms/ ∗∗∗ Security Bulletins for TYPO3 Extensions ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories/typo3-extensions/ ∗∗∗ Public Services Announcements for TYPO3 ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories/public-service-announcements/ ∗∗∗ IBM Security Bulletin: Multiple Java Vulnerabilities Impact IBM Control Center (CVE-2018-3180, CVE-2018-1890) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-java-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2019
by Daily end-of-shift report 06 May '19

06 May '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-05-2019 18:00 − Montag 06-05-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cronjob Backdoors ∗∗∗ --------------------------------------------- Attackers commonly rely on backdoors to easily gain reentry and maintain control over a website. They also use PHP functions to further deepen the level of their backdoors. A good example of this is the shell_exec function which allows plain shell commands to be run directly through the web application, providing attackers with an increased level of control over the environment. --------------------------------------------- https://blog.sucuri.net/2019/05/cronjob-backdoors.html ∗∗∗ WLAN-Presenter-Systeme mit kritischen Sicherheitslücken ∗∗∗ --------------------------------------------- WLAN-Gateways, die in vielen Meeting-Räumen das kabellose Anzeigen von Folien ermöglichen, lassen sich kapern und mit Schadcode verseuchen. --------------------------------------------- https://heise.de/-4413258 ∗∗∗ Erpressungswelle zielt auf öffentliche Git-Repositorys ∗∗∗ --------------------------------------------- Seit einigen Tagen haben Erpresser zahlreiche Repositorys bei GitHub, GitLab und BitBucket gelöscht und fordern Bitcoins für die Wiederherstellung. --------------------------------------------- https://heise.de/-4413576 ∗∗∗ Betrügerische Job-Angebote verführen zur Geldwäsche ∗∗∗ --------------------------------------------- Auf der Suche nach dem neuen Job stoßen Konsument/innen häufig auf betrügerische Angebote, bei denen die Aufgabe aus der Weiterleitung von Geldbeträgen besteht. Nicht immer ist dies bereits in der entsprechenden Jobausschreibung erkennbar. So geschehen auch auf der von Kriminellen übernommenen Website bulldozer-sprachschule.at, wo Bewerber/innen zur Geldwäsche aufgefordert wurden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-job-angebote-verfuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity PrinterLogic Flaws Enable Remote Code Execution ∗∗∗ --------------------------------------------- The three flaws enable an unauthenticated attacker to launch remote code execution attacks on printers. --------------------------------------------- https://threatpost.com/printerlogic-remote-code-execution/144383/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jquery, librecad, and phpbb3), Fedora (bubblewrap, java-11-openjdk, libvirt, openssh, and pacemaker), Mageia (virtualbox), openSUSE (chromium, ImageMagick, and java-11-openjdk), and SUSE (openssl-1_1). --------------------------------------------- https://lwn.net/Articles/787599/ ∗∗∗ HPESBHF03769 rev.2 - HPE Integrated Lights-out 4 (iLO 4), and Moonshot Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ IBM Security Bulletin: IBM TRIRIGA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data (CVE-2019-4208) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-tririga-is-vulner… ∗∗∗ IBM Security Bulletin: IBM TRIRIGA Application Platform may disclose sensitive information (CVE-2019-4207) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-tririga-applicati… ∗∗∗ IBM Security Bulletin: Vulnerability in Pivotal Spring Framework affects IBM TRIRIGA Application Platform (CVE-2018-15786) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-pivo… ∗∗∗ IBM Security Bulletin: IBM TRIRIGA Application Platform could disclose sensitive information (CVE-2018-2008) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-tririga-applicati… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management V2018 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Cúram Social Program Management contains a cross-site request forgery vulnerability in the REST API (CVE-2018-2001) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-curam-social-prog… ∗∗∗ IBM Security Bulletin: Java Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2018-1890, CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-java-vulnerability-af… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® Runtime Environment Java™ Version affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerabilities in GNU OpenSSL (1.0.2 series) affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-gn… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2019
by Daily end-of-shift report 03 May '19

03 May '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-05-2019 18:00 − Freitag 03-05-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Decryptor for MegaLocker and NamPoHyu Virus Ransomware Released ∗∗∗ --------------------------------------------- Emsisoft has released a decryptor for the MegaLocker and NamPoHyu Virus ransomware that has been targeting exposed Samba servers. Victims can now use this decryptor to recover their files for free. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/decryptor-for-megalocker-and… ∗∗∗ Informal Expert Group on EU Member States Incident Response Development ∗∗∗ --------------------------------------------- ENISA launches this Call for Participation to invite experts to participate in its expert group. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/informal-e-xpert-group-on-eu-ms… ∗∗∗ 2019: The Return of Retefe ∗∗∗ --------------------------------------------- Retefe is a banking Trojan that historically has routed online banking traffic intended for targeted banks through a proxy instead of the web injects more typical of other bankers. [...] Although Retefe only appeared infrequently in 2018, the banker returned to more regular attacks on Swiss and German victims in April of 2019 with both a Windows and macOS version. Retefes return to the landscape was marked by several noteworthy changes: [...] --------------------------------------------- https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe ∗∗∗ Abus Funkalarmanlage: Sicherheitslücke erlaubt Klonen von RFID-Schlüsseln ∗∗∗ --------------------------------------------- Erst vergangene Woche enthüllten Sicherheitsforscher drei Sicherheitslücken in Abus Secvest Alarmanlagen. Nun folgt eine weitere. --------------------------------------------- https://heise.de/-4412282 ∗∗∗ D-Link schützt DNS-320 und weitere NAS mit Updates gegen Cr1ptTor-Ransomware ∗∗∗ --------------------------------------------- Die Netzwerkspeicher DNS-320L, DNS-325 und DNS-327L waren anfällig für Angriffe durch den Verschlüsselungstrojaner Cr1ptor. Firmware-Updates sollen das ändern. --------------------------------------------- https://heise.de/-4412656 ∗∗∗ Vulnerabilities Found in Over 100 Jenkins Plugins ∗∗∗ --------------------------------------------- A researcher has discovered vulnerabilities in more than 100 plugins designed for the Jenkins open source software development automation server and many of them have yet to be patched. read more --------------------------------------------- https://www.securityweek.com/vulnerabilities-found-over-100-jenkins-plugins ===================== = Vulnerabilities = ===================== ∗∗∗ Orpak SiteOmat ∗∗∗ --------------------------------------------- This advisory includes mitigations for use of hard-coded credentials, cross-site scripting, SQL injection, missing encryption of sensitive data, code injection, and stack-based buffer overflow vulnerabilities reported in Orpak’s SiteOmat, software for fuel station management. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-122-01 ∗∗∗ GE Communicator ∗∗∗ --------------------------------------------- This advisory includes mitigations for uncontrolled search path, use of hard-coded credentials, and improper access control vulnerabilities reported in GEs Communicator software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-122-02 ∗∗∗ Sierra Wireless AirLink ALEOS ∗∗∗ --------------------------------------------- This advisory includes mitigations for OS command injection, use of hard-coded credentials, unrestricted upload of file with dangerous type, cross-site scripting, cross-site request forgery, information exposure, and missing encryption of sensitive data vulnerabilities reported in the Sierra Wireless AirLink ALEOS products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-4.9 and otrs2), Fedora (gradle, java-1.8.0-openjdk, jetty, kernel, ruby, and runc), openSUSE (dovecot23, jasper, libsoup, ntfs-3g_ntfsprogs, and webkit2gtk3), SUSE (openssl), and Ubuntu (python-gnupg). --------------------------------------------- https://lwn.net/Articles/787413/ ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Releases 1801-w and 1801-y ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2019
by Daily end-of-shift report 02 May '19

02 May '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-04-2019 18:00 − Donnerstag 02-05-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing-Mail hat es auf Ihr Willhaben-Konto abgesehen ∗∗∗ --------------------------------------------- Erneut sind Phishing-Mails Krimineller im Umlauf. Die Mails erwecken den Anschein, von der Kleinanzeigenplattform Willhaben zu stammen und informieren über die Veröffentlichung einer Verkaufsanzeige für eine Samsung Waschmaschine. Empfänger/innen dürfen den Links in der Nachricht nicht folgen und keine Daten eingeben, ansonsten verlieren sie ihr Willhaben-Konto. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-hat-es-auf-ihr-willhab… ∗∗∗ JavaScript card sniffing attacks spread to other e-commerce platforms ∗∗∗ --------------------------------------------- OpenCart, OSCommerce, WooCommerce, Shopify are also being targeted. --------------------------------------------- https://www.zdnet.com/article/javascript-card-sniffer-attacks-spread-to-oth… ∗∗∗ 50,000 enterprise firms running SAP software vulnerable to attack ∗∗∗ --------------------------------------------- 9 out of 10 SAP production systems are believed to be vulnerable to new exploits. --------------------------------------------- https://www.zdnet.com/article/50000-enterprise-firms-running-sap-software-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Treiberinstallation auf Dell-Laptops angreifbar ∗∗∗ --------------------------------------------- Eine auf Dell-Laptops vorinstallierte Windows-Software zur Installation von Treibern öffnet einen lokalen HTTP-Server. Ein Netzwerkangreifer kann das missbrauchen, um Schadsoftware zu installieren. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-treiberinstallation-auf-dell-la… ∗∗∗ Rockwell Automation CompactLogix 5370 ∗∗∗ --------------------------------------------- This advisory includes mitigations for uncontrolled resource consumption and stack-based buffer overflow vulnerabilities reported in Rockwell Automation’s CompactLogix 5370 controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01 ∗∗∗ Citrix SD-WAN Security Update ∗∗∗ --------------------------------------------- An information disclosure vulnerability has been identified in the Citrix SD-WAN Appliance. This vulnerability could allow an unauthenticated attacker to perform a man-in-the-middle attack against management traffic. --------------------------------------------- https://support.citrix.com/article/CTX247735 ∗∗∗ Jetzt patchen: Cisco schließt Lücken in zahlreichen Produkten ∗∗∗ --------------------------------------------- Es ist mal wieder so weit: Netzwerkausrüster Cisco hat zahlreiche Aktualisierungen veröffentlicht. Eine der gepatchten Lücken gilt als kritisch. --------------------------------------------- https://heise.de/-4411599 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libmediainfo, php-horde-horde, and php-horde-turba), SUSE (hostinfo, supportutils, libjpeg-turbo, and openssl), and Ubuntu (dovecot, libpng1.6, and memcached). --------------------------------------------- https://lwn.net/Articles/787232/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (proftpd-dfsg and signing-party), Fedora (php-horde-horde and php-horde-turba), and Ubuntu (php5). --------------------------------------------- https://lwn.net/Articles/787299/ ∗∗∗ Many Vulnerabilities Found in Wireless Presentation Devices ∗∗∗ --------------------------------------------- Researchers at Tenable have discovered a total of 15 vulnerabilities across eight wireless presentation systems, including flaws that can be exploited to remotely hack devices. read more --------------------------------------------- https://www.securityweek.com/many-vulnerabilities-found-wireless-presentati… ∗∗∗ Vuln: Microsoft Visual Studio asm Remote Memory Corruption Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/108122 ∗∗∗ Vuln: Apache Archiva CVE-2019-0214 Arbitrary File Write Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/108124 ∗∗∗ IBM Security Advisories ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Appliance mode vulnerability CVE-2019-6614 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46524395 ∗∗∗ CGNAT/PPTP vulnerability CVE-2019-6611 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K47527163 ∗∗∗ DNS vulnerability CVE-2019-6612 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24401914 ∗∗∗ Appliance mode tmsh vulnerability CVE-2019-6615 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87659521 ∗∗∗ Appliance mode tmsh vulnerability CVE-2019-6616 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82814400 ∗∗∗ SNMP vulnerability CVE-2019-6613 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27400151 ∗∗∗ BIG-IP Resource Administrator vulnerability CVE-2019-6618 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K07702240 ∗∗∗ BIG-IP Resource Administrator vulnerability CVE-2019-6617 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K38941195 ∗∗∗ HTTP/2 ALPN vulnerability CVE-2019-6619 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K94563344 ∗∗∗ NodeJS vulnerability CVE-2018-12120 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K37111863 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2019
by Daily end-of-shift report 30 Apr '19

30 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Montag 29-04-2019 18:00 − Dienstag 30-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ APT trends report Q1 2019 ∗∗∗ --------------------------------------------- This is our latest summary of APT activity, based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. It aims to highlight the significant events and findings that we feel people should be aware of. --------------------------------------------- https://securelist.com/apt-trends-report-q1-2019/90643/ ∗∗∗ Vorsicht vor Bestellungen auf cragoo.at und cragoo.de ∗∗∗ --------------------------------------------- Bei cragoo.de bzw. cragoo.at handelt es sich um einen Online-Shop der Firma TA Retail UG mit sehr breitem Sortiment. Es werden unter anderem Haushaltsgeräte, Technik, Autozubehör, Bauutensilien, Fahrräder, Möbel und Spielzeug angeboten. Doch Vorsicht: Uns erreichen laufend Meldungen verärgerter Konsument/innen, die einen Einkauf per Vorkasse bezahlt, aber keine Lieferung erhalten haben. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-bestellungen-auf-cragoo… ∗∗∗ Oracle Weblogic 0day ∗∗∗ --------------------------------------------- Several days ago, information about new Oracle Weblogic Server 0day vulnerability was published [... CVE-2019-2725]. ... One of the SISSDEN goals is to track such a vulnerabilities and answer following questions: How big was the volume of scanning/exploitation? Who is responsible for scanning/exploitation? How was the exploitation executed? --------------------------------------------- https://sissden.eu/blog/oracle-weblogic-0day ===================== = Vulnerabilities = ===================== ∗∗∗ Vuln: ImageMagick Multiple Heap Buffer Overflow Vulnerabilities ∗∗∗ --------------------------------------------- ImageMagick is prone to multiple heap-based buffer-overflow vulnerabilities. An attacker can exploit this issue to cause denial-of-service condition and obtain sensitive information. --------------------------------------------- http://www.securityfocus.com/bid/108102 ∗∗∗ Insufficient Privilege Validation in WooCommerce Checkout Manager ∗∗∗ --------------------------------------------- Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately. --------------------------------------------- https://blog.sucuri.net/2019/04/insufficient-privilege-validation-in-woocom… ∗∗∗ Schwachstelle in Revive Adserver kann Schadcode-Auslieferung ermöglichen ∗∗∗ --------------------------------------------- Der Werbeanzeigen-Server Revive Adserver ist über zwei Schwachstellen angreifbar; eine davon gilt als kritisch. Version 4.2.0 ist abgesichert. --------------------------------------------- https://heise.de/-4410423 ∗∗∗ Forscher finden Schwachstellen in E-Mail-Signaturprüfung ∗∗∗ --------------------------------------------- Sicherheitsforscher der Fachhochschule Münster und der Ruhr-Universität Bochum haben Schwachstellen in den Implementierungen der weitverbreiteten E-Mail-Verschlüsselungsstandards S/MIME und OpenPGP gefunden --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Signaturfae… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, openwsman, and ovmf), Debian (gst-plugins-base1.0 and libvirt), Fedora (libX11, poppler, python-urllib3, samba, and wpewebkit), openSUSE (GraphicsMagick), SUSE (atftp, glibc, libssh2_org, and wpa_supplicant), and Ubuntu (wavpack). --------------------------------------------- https://lwn.net/Articles/787158/ ∗∗∗ Foxit Phantom PDF Suite: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen im Foxit Reader und der Foxit Phantom PDF Suite ausnutzen, um beliebigen Programmcode mit Benutzerrechten auszuführen, einen Denial of Service Angriff durchzuführen oder vertrauliche Daten einzusehen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0359 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server for IBM Cloud Private VM Quickstarter ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2018-1902) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-transformat… ∗∗∗ IBM Security Bulletin: A vulnerability affects the IBM FlashSystem 840 and 900 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-affec… ∗∗∗ IBM Security Bulletin: Security vulnerability affects Rational Engineering Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Planning Analytics (CVE-2018-3180, CVE-2013-1624, CVE-2018-1933, CVE-2015-1832, CVE-2018-15494) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ HPESBHF03929 rev.1 - HPE Superdome Flex Server, Local Denial of Service, Disclosure of Information, and Escalation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2019
by Daily end-of-shift report 29 Apr '19

29 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-04-2019 18:00 − Montag 29-04-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GitHub-Hosted Magecart Card Skimmer Found on Hundreds of Stores ∗∗∗ --------------------------------------------- Malicious actors compromised the Magento installations of a few hundred e-commerce websites and injected them with Magecart skimmer scripts hosted on GitHub. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-hosted-magecart-card-… ∗∗∗ Old Vulnerabilities Are Still Good Tricks for Todays Attacks ∗∗∗ --------------------------------------------- The value of a security vulnerability drops significantly the moment it gets patched but the bad guys will keep exploiting it for as long as they can find victims that are worth the effort. --------------------------------------------- https://www.bleepingcomputer.com/news/security/old-vulnerabilities-are-stil… ∗∗∗ Typo 3 Spam Infection ∗∗∗ --------------------------------------------- Here at Sucuri most of the malware that we deal with is on CMS platforms like: WordPress, Joomla, Drupal, Magento, and others. But every now and then we come across something a little different. Blackhat SEO Infection in Typo3 Just recently, I discovered a website using the Typo3 CMS that had been infected with a blackhat SEO spam infection: [...] --------------------------------------------- https://blog.sucuri.net/2019/04/typo-3-spam-infection.html ∗∗∗ Schwachstellen in P2P-Komponente: Zwei Millionen IoT-Geräte angreifbar ∗∗∗ --------------------------------------------- Angreifer könnten sich Fernzugriff auf IP-Kameras, smarte Türklingeln und Co. verschaffen. Ein Forscher rät zum Wegwerfen, nennt aber auch einen Workaround. --------------------------------------------- https://heise.de/-4409298 ∗∗∗ A Crash-Course in Card Shops ∗∗∗ --------------------------------------------- The notorious Joker's Stash is perhaps the best-known of many illicit shops in the deep & dark web (DDW) that specialize in, and serve as a primary means through which cybercriminals obtain, stolen payment card data. Commonly referred to as card shops, these shops can also be invaluable resources for those seeking to better understand and combat fraud and cybercrime. read more --------------------------------------------- https://www.securityweek.com/crash-course-card-shops ∗∗∗ So schützen Sie sich vor Phishing-Versuchen ∗∗∗ --------------------------------------------- Beim Phishing versuchen Kriminelle mittels gefälschter E-Mails, Websites und Chat-Nachrichten, sensible Daten von Internetuser/innen abzugreifen. Durch einfach zu treffende Vorkehrungen und ein wachsames Auge kann vermieden werden, auf derartige Betrugsmaschen hereinzufallen. Dies ist wichtig, denn durch falsches Handeln können mitunter hohe finzielle Verluste entstehen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-phishing-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle patcht kritische Lücke in WebLogic Server außer der Reihe ∗∗∗ --------------------------------------------- Angreifer könnten WebLogic Server mit vergleichsweise wenig Aufwand attackieren und übernehmen. Nun hat Oracle Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-4409153 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, libpng, and openssh), Debian (checkstyle, evolution, gst-plugins-base0.10, gst-plugins-base1.0, imagemagick, libpng1.6, monit, and systemd), Fedora (aria2, php-symfony, php-symfony3, php-symfony4, and python-jinja2), openSUSE (ceph, libssh2_org, libvirt, php7, python3, samba, wget, and xerces-c), Red Hat (rh-python35-python), Slackware (bind), SUSE (libssh2_org), and Ubuntu (evince, gst-plugins-base0.10, gst-plugins-base1.0, and [...] --------------------------------------------- https://lwn.net/Articles/787052/ ∗∗∗ IBM Security Bulletin: IBM StoredIQ is affected by potential Host Header Injection (CVE-2019-4166) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-storediq-is-affec… ∗∗∗ IBM Security Bulletin: Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2018-15756) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-spri… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affects IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin : IBM Storwize V7000 Unified is affected by denial of service vulnerability in GPFS (CVE-2018-1783) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-storwize-v7000-un… ∗∗∗ IBM Security Bulletin : IBM Storwize V7000 Unified is affected by arbitry file read vulnerability in GPFS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-storwize-v7000-un… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities in IBM® Java SDK affect Rational Method Composer March 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2019
by Daily end-of-shift report 26 Apr '19

26 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-04-2019 18:00 − Freitag 26-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Getting in the Zone: dumping Active Directory DNS using adidnsdump ∗∗∗ --------------------------------------------- Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any [...] --------------------------------------------- https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-direc… ∗∗∗ Service Accounts Redux - Collecting Service Accounts with PowerShell ∗∗∗ --------------------------------------------- Back in 2015 I wrote up a "find the service accounts" story - https://isc.sans.edu/forums/diary/Windows+Service+Accounts+Why+Theyre+Evil+… (yes, it really has been that long). The approach I wrote up then used WMIC. Those scripts saw a lot of use back in the day, but dont reflect the fastest or most efficient way to collect this information - I thought today was a good day to cover how to do this much quicker in PowerShell. --------------------------------------------- https://isc.sans.edu/forums/diary/Service+Accounts+Redux+Collecting+Service… ∗∗∗ Statistik: Deutlich mehr Malware für den Mac ∗∗∗ --------------------------------------------- Laut Angaben des Sicherheitsunternehmens Malwarebytes nehmen die Angriffe auf macOS-User zu. Besonders Adware wird zum Problem. --------------------------------------------- https://heise.de/-4408038 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Sierra Wireless AirLink ES450 ∗∗∗ --------------------------------------------- Several exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems. These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator's password and expose user credentials, among [...] --------------------------------------------- https://blog.talosintelligence.com/2019/04/vulnerability-sierra-airlink.html ∗∗∗ Vorsicht vor Betrugs-Mails mit vermeintlichen Rechnungen ∗∗∗ --------------------------------------------- Konsument/innen und Unternehmen erhalten E-Mails, die auf Links zu angeblichen Rechnungen verweisen. Die Betroffenen werden beispielsweise aufgefordert die Rechnungen zu bezahlen oder deren Inhalt zu überprüfen. Wer den Links folgt landet auf betrügerischen Websites, die versuchen, Systeme mit Schadsoftware zu infizieren. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betrugs-mails-mit-verme… ∗∗∗ An inside look at how credential stuffing operations work ∗∗∗ --------------------------------------------- Data breaches, custom software, proxies, IoT botnets, and hacking forums -- all play a role. --------------------------------------------- https://www.zdnet.com/article/an-inside-look-at-how-credential-stuffing-ope… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension ∗∗∗ --------------------------------------------- If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new, unpatched vulnerability that has been made public and could allow attackers to compromise your online store. A WordPress security company - called "Plugin Vulnerabilities" - that recently gone rogue in order to protest against moderators of the WordPress's official support forum has once [...] --------------------------------------------- https://thehackernews.com/2019/04/wordpress-woocommerce-security.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gpac and mercurial), Fedora (kernel-headers and kernel-tools), openSUSE (GraphicsMagick, kauth, lxc, lxcfs, python, qemu, and xmltooling), SUSE (freeradius-server, ImageMagick, libvirt, samba, and wireshark), and Ubuntu (bind9). --------------------------------------------- https://lwn.net/Articles/786884/ ∗∗∗ Synology-SA-19:20 ISC BIND ∗∗∗ --------------------------------------------- CVE-2018-5743 allows remote attackers to conduct denial-of-service attacks via a susceptible version of DNS Server.DNS Server is not affected by CVE-2019-6947 and CVE-2019-6948 as these vulnerabilities only affect ISC BIND 9.10.5 and later. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_20 ∗∗∗ Security Advisory - FRP Bypass Vulnerability in Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190424-… ∗∗∗ IBM Cognos Business Intelligence: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0354 ∗∗∗ IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2019 – Includes Oracle Jan 2019 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sdk-java-technolo… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM® Java Runtime and Liberty affect IBM BigFix Remote Control ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2018-20346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulneraqbility-in-s… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerability GNU C Library (CVE-2018-16429) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Cloud Manager with OpenStack is affected by a OpenSSL vulnerabilities (CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-manager-wit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libtirpc (CVE-2018-14622 CVE-2018-14621) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSH ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in OpenSSL (CVE-2018-0732 CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2019
by Daily end-of-shift report 25 Apr '19

25 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-04-2019 18:00 − Donnerstag 25-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ ExtraPulsar backdoor based on leaked NSA code – what you need to know ∗∗∗ --------------------------------------------- A US security researcher has come up with an open-source Windows backdoor loosely based on NSA attack code that leaked back in 2017. --------------------------------------------- https://nakedsecurity.sophos.com/2019/04/25/extrapulsar-backdoor-based-on-l… ∗∗∗ Android-App "WiFi Finder" leakte private WLAN-Passwörter ∗∗∗ --------------------------------------------- Auf über 100.000 Handys half WiFi Finder beim Verbinden mit öffentlichen Hotspots. In vielen Fällen sammelte die App aber auch private Zugangsdaten. --------------------------------------------- https://heise.de/-4405783 ∗∗∗ Jetzt patchen! Erpressungstrojaner Gandcrab frisst sich durch Confluence-Lücke ∗∗∗ --------------------------------------------- Die Angriffe auf Confluence weiten sich aus. Derzeit versuchen Angreifer verwundbare Systeme mit der Ransomware Gandcrab zu infizieren. --------------------------------------------- https://heise.de/-4407102 ∗∗∗ JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan ∗∗∗ --------------------------------------------- Malware loaders are playing an increasingly important role in malware distribution. They give adversaries the ability to gain an initial foothold on a system and are typically used to deliver various malware payloads following successful compromise. These attacks are popping up more frequently, as we covered in July with Smoke Loader and Brushaloader earlier this year. --------------------------------------------- https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html ∗∗∗ Erpressungs-E-Mail von mir selbst ∗∗∗ --------------------------------------------- Momentan versenden Kriminelle E-Mails, in denen Sie behaupten Ihre Webcam gehackt und Sie beobachtet zu haben. Sie hätten angeblich Videomaterial, das Sie beim Masturbieren zeigt. Ihnen droht eine Veröffentlichung des Films, wenn Sie nicht einen bestimmten Geldbetrag in Form von Bitcoins überweisen. Weiters scheint es so, als hätten die Kriminellen die E-Mail von Ihrem Account aus an Sie selbst versendet. Bleiben Sie ruhig, es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/erpressungs-e-mail-von-mir-selbst/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Vulnerability Alert - WebLogic Zero Day, (Thu, Apr 25th) ∗∗∗ --------------------------------------------- The news today is full of a new deserialization vulnerability in Oracle WebLogic. This affects all current versions of the product (the POC is against 10.3, but 12.x versions are also affected). The vulnerability affects the wls9_async_response package (which is not included by default in all builds), so the workaround is to either ACL the Z/_async/* and /wls-wsat/* paths, or delete wls9_async_response.war. A successful attack gets the attacker remote code exec on the vulnerable server. --------------------------------------------- https://isc.sans.edu/diary/rss/24880 ∗∗∗ Technical Advisory: Private Key Extraction from Qualcomm Hardware-backed Keystores ∗∗∗ --------------------------------------------- Recent Android devices include a hardware-backed keystore, which developers can use to protect their cryptographic keys with secure hardware. On some devices, Qualcomms TrustZone-based keystore leaks sensitive information through the branch predictor and memory caches, enabling recovery of 224 and 256-bit ECDSA keys. --------------------------------------------- https://www.nccgroup.trust/us/our-research/private-key-extraction-qualcomm-… ∗∗∗ New security release versions of BIND are available: 9.11.6-P1, 9.12.4-P1, and 9.14.1 ∗∗∗ --------------------------------------------- CVE-2018-5743: Limiting simultaneous TCP clients is ineffective CVE-2019-6467: An error in the nxdomain redirect feature can cause BIND to exit with an INSIST assertion failure in query.c CVE-2019-6468: BIND Supported Preview Edition can exit with an assertion failure if nxdomain-redirect is used --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2019-April/001126.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (putty and systemd), Fedora (kernel, kernel-headers, and kernel-tools), Gentoo (ming and qemu), openSUSE (openexr and slurm), SUSE (ImageMagick, jasper, ntfs-3g_ntfsprogs, openssh, and webkit2gtk3), and Ubuntu (php5 and tcpflow). --------------------------------------------- https://lwn.net/Articles/786749/ ∗∗∗ TIBCO Security Advisories ∗∗∗ --------------------------------------------- https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… https://www.tibco.com/support/advisories/2019/04/tibco-security-advisory-ap… ∗∗∗ BIND vulnerability CVE-2018-5743 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74009656 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by information disclosure vulnerability (CVE-2019-6157) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-manage… ∗∗∗ IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2019-4047) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Security vulnerability affects the Report Builder that is shipped with Jazz Reporting Service (CVE-2018-2004) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by weak cryptographic algorithms (CVE-2018-2007) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: IBM Security SiteProtector System is affected by Apache HTTP Server vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-siteprot… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security SiteProtector System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in GNU C Library (CVE-2017-15804 CVE-2017-15670 CVE-2015-5180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in xorg-x11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerability in cURL (CVE-2018-14618) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in GNU C Library (CVE-2018-11236) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-manage… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2019
by Daily end-of-shift report 24 Apr '19

24 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-04-2019 18:00 − Mittwoch 24-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware Hosted in Google Sites Sends Data to MySQL Server ∗∗∗ --------------------------------------------- Security researchers found malware hosted on the Google Sites platform for building websites. The threat is a dropper for an information stealer that sends data to a MySQL server controlled by the attacker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-hosted-in-google-sit… ∗∗∗ Qbot Malware Dropped via Context-Aware Phishing Campaign ∗∗∗ --------------------------------------------- A phishing campaign dropping the Qbot banking Trojan with the help of delivery emails camouflaging as parts of previous conversations was spotted during late March 2019 by the JASK Special Operations team. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-dropped-via-con… ∗∗∗ Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators ∗∗∗ --------------------------------------------- Ever been in an internal security assessment or penetration test, and need to list all domain admins? First of all, why would you need to do that? All to often, you'll find that way too many people have domain admins - you know, "just in case" --------------------------------------------- https://isc.sans.edu/forums/diary/Where+have+all+the+Domain+Admins+gone+Roo… ∗∗∗ Sighting of Mythical New Shadowserver Website Confirmed! ∗∗∗ --------------------------------------------- After over a decade over operations, the Shadowserver Foundation finally launches a shiny new website. The new site hopefully better explains to the public our values, free services and constituents, and what we continue to do to improve the overall security of the Internet. Our team, focus and mission remain otherwise unchanged. But we may hopefully spare ourselves the occasional embarrassing question! --------------------------------------------- https://www.shadowserver.org/news/sighting-of-mythical-new-shadowserver-web… ∗∗∗ DNSpionage brings out the Karkoff ∗∗∗ --------------------------------------------- Cisco Talos publishes new information about the still ongoing DNSpionage campaign. --------------------------------------------- https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.ht… ∗∗∗ BSI warnt vor gezielten Ransomware-Angriffen auf Unternehmen ∗∗∗ --------------------------------------------- Derzeit registriert das Bundesamt für Sicherheit in der Informationstechnik (BSI) verstärkt Netzwerkkompromittierungen bei Unternehmen, die mit der manuellen und gezielten Ausführung eines Verschlüsselungstrojaners (Ransomware) enden. Dabei verschaffen sich die Angreifer mittels breit angelegter Spam-Kampagnen wie Emotet zunächst Zugang zu einzelnen Unternehmensnetzwerken [...] --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/BSI_warnt_v… ∗∗∗ CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis ∗∗∗ --------------------------------------------- In the previous installment, we wrote about how string hashing was used in CARBANAK to manage Windows API resolution throughout the entire codebase. But the authors used this same string hashing algorithm for another task as well. In this installment, we’ll pick up where we left off and write about CARBANAK’s antivirus (AV) detection, AV evasion, authorship artifacts, exploits, secrets, and network-based indicators. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-… ∗∗∗ Honeypot types deployed in SISSDEN ∗∗∗ --------------------------------------------- The SISSDEN sensor network is composed of VPS provider hosted nodes (procured at a cost from the VPS providers) and nodes donated to the project by third-parties acting as endpoints. These VPS nodes are not the actual honeypots themselves. Instead, they act as transparent layer 2 tunnels to the [...] --------------------------------------------- https://sissden.eu/blog/honeypots-deployed ===================== = Vulnerabilities = ===================== ∗∗∗ Fujifilm FCR Capsula X/Carbon X ∗∗∗ --------------------------------------------- This medical advisory includes mitigations for uncontrolled resource consumption and improper access control vulnerabilities reported in Fujifilm’s FCR Capsula X and Carbon X Computed Radiography cassette readers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-19-113-01 ∗∗∗ Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers ∗∗∗ --------------------------------------------- This advisory includes mitigations for an open redirect vulnerability reported in Rockwell Automation’s MicroLogix 1400 and CompactLogix 5370 controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-113-01 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot, flashplugin, ghostscript, and jenkins), Fedora (glpi, hostapd, python-urllib3, and znc), openSUSE (apache2, audiofile, libqt5-qtvirtualkeyboard, php5, and SDL2), Scientific Linux (kernel), SUSE (curl and dovecot23), and Ubuntu (advancecomp and freeradius). --------------------------------------------- https://lwn.net/Articles/786629/ ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in cURL (CVE-2018-16840 CVE-2018-16842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… ∗∗∗ IBM Security Bulletin: API Connect V5 is impacted by vulnerabilities in Bootstrap (CVE-2018-14040 CVE-2018-14041 CVE-2018-14042) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v5-is-imp… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: Multiple Websphere Vulnerabilities Impact IBM Control Center (CVE-2018-3169, CVE-2014-7810, CVE-2018-1767) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-websphere-vu… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Data Quality Exception Console is affected by a Reflected XSS (Cross-Site Scripting) vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-data-q… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SDK, and Ruby on Rails affect BigFix Compliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Build Forge (CVE-2018-1890;CVE-2019-2426;CVE-2018-3139;CVE-2018-3180;CVE-2018-12547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Dynamic System Analysis (DSA) Preboot is affected by vulnerabilities in libjpeg ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-dynamic-system-an… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2019
by Daily end-of-shift report 23 Apr '19

23 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-04-2019 18:00 − Dienstag 23-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Operation ShadowHammer: a high-profile supply chain attack ∗∗∗ --------------------------------------------- In late March 2019, we briefly highlighted our research on ShadowHammer attacks, a sophisticated supply chain attack involving ASUS Live Update Utility. Now it is time to share more details about the research with our readers. --------------------------------------------- https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-a… ∗∗∗ IT Security Guidelines for Transport Layer Security (TLS) ∗∗∗ --------------------------------------------- These guidelines are intended to aid during procurement, set-up and review of configurations of the Transport Layer Security protocol (TLS). TLS is the most popular protocol to secure connections on the Internet. --------------------------------------------- https://www.ncsc.nl/english/current-topics/factsheets/it-security-guideline… ∗∗∗ Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts ∗∗∗ --------------------------------------------- We recently discovered malicious Microsoft Software Installation (MSI) files that download and execute other files, and could bypass traditional security solutions. Malicious actors can abuse custom actions in these files to execute malicious scripts and drop malware that are either capable of initiating a system shutdown or targeting financial systems located in certain locations.The post Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/analysis-abuse-… ∗∗∗ CARBANAK Week Part One: A Rare Occurrence ∗∗∗ --------------------------------------------- It is very unusual for FLARE to analyze a prolifically-used, privately-developed backdoor only to later have the source code and operator tools fall into our laps. Yet this is the extraordinary circumstance that sets the stage for CARBANAK Week, a four-part blog series that commences with this post. CARBANAK is one of the most full-featured backdoors around. It was used to perpetrate millions of dollars in financial crimes, largely by the group we track as FIN7. In 2017, Tom Bennett and Barry --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-… ∗∗∗ So erkennen Sie Fake-Shops bevor es zu spät ist! ∗∗∗ --------------------------------------------- Auf der Schnäppchenjagd im Internet stoßen Konsument/innen häufig auf Online-Shops, die trotz Bezahlung keine Ware liefern. Kurz gesagt: Fake-Shops. Diese Webseiten werden von Kriminellen betrieben, die es ausschließlich auf das Geld ihrer Opfer abgesehen haben. Bezahlungen erfolgen per Vorkasse und die überwiesenen Beträge sind verloren. Das Erkennen von Fake-Shops ist oft schwierig, mit unseren Tipps aber nicht unmöglich! --------------------------------------------- https://www.watchlist-internet.at/news/so-erkennen-sie-fake-shops-bevor-es-… ∗∗∗ Trojanized TeamViewer used in government, embassy attacks across Europe ∗∗∗ --------------------------------------------- The remote desktop software is being weaponized to gain access to victim systems. --------------------------------------------- https://www.zdnet.com/article/trojanized-teamviewer-used-in-government-poli… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.8.0-openjdk and java-11-openjdk), Debian (clamav, debian-security-support, and drupal7), Fedora (egl-wayland, elementary-camera, elementary-code, elementary-terminal, ephemeral, geocode-glib, gnome-characters, gnome-shell-extension-gsconnect, group-service, libmodulemd, libxmlb, mate-user-admin, mesa, meson, mpris-scrobbler, reportd, switchboard-plug-display, switchboard-plug-pantheon-shell, wingpanel, and wireshark), openSUSE (blueman and glibc), Red Hat (java-1.7.0-openjdk). --------------------------------------------- https://lwn.net/Articles/786458/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.7.0-openjdk), Debian (ghostscript and wget), Gentoo (apache, glib, opendkim, and sqlite), Red Hat (kernel, kernel-alt, kernel-rt, ovmf, polkit, and python27-python), Scientific Linux (java-1.7.0-openjdk), and SUSE (php72). --------------------------------------------- https://lwn.net/Articles/786538/ ∗∗∗ BlackBerry Powered by Android Security Bulletin - April 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Malware-Verteiler werden immer jünger, infizieren sich oft selbst ∗∗∗ --------------------------------------------- https://heise.de/-4403823 ∗∗∗ IBM Security Bulletin: Vyatta 5600 vRouter Software Patches – Release 1801-v ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vyatta-5600-vrouter-s… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-1901) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in GNU C Library (CVE-2017-15804) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-manage… ∗∗∗ IBM Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2014-7810) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integration-bus-i… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM HTTP Server (CVE-2019-0211 CVE-2019-0220) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Potential vulnerability related to Unsafe Deserialization in Apache Solr shipped with IBM Operations Analytics – Log Analysis (CVE-2019-0192) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-vulnerabili… ∗∗∗ IBM Security Bulletin: Information Disclosure Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2019-4146, CVE-2019-4222) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities CVE-2018-5744 CVE-2019-6465 and CVE-2018-5745. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-i-is-affected-by-… ∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Content Navigator is affected by an open redirect vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-bulletin-ibm… ∗∗∗ IBM Security Bulletin: Multiple Cross-Site Scripting Vulnerabilities Affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-cross-site-s… ∗∗∗ IBM Security Bulletin: Public disclosed vulnerability from SQLite CVE-2018-20346 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-public-disclosed-vuln… ∗∗∗ IBM Security Bulletin: IBM Content Navigator is vulnerable to cross-site scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-content-navigator… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Weak Cryptographic Algorithm Vulnerability Affects IBM Sterling B2B Integrator (CVE-2018-1720) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-weak-cryptographic-al… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2019
by Daily end-of-shift report 19 Apr '19

19 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-04-2019 18:00 − Freitag 19-04-2019 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Wipro Intruders Targeted Other Major IT Firms ∗∗∗ --------------------------------------------- The criminals responsible for launching phishing campaigns that netted dozens of employees and more than 100 computer systems last month at Wipro, Indias third-largest IT outsourcing firm, also appear to have targeted a number of other competing providers, including Infosys and Cognizant -- two other large technology consulting companies, new evidence suggests. --------------------------------------------- https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it… ∗∗∗ Threat Source (April 18): New attacks distribute Formbook, LokiBot ∗∗∗ --------------------------------------------- Newsletter compiled by Jonathan Munshaw.Welcome to this week’s Threat Source newsletter — the perfect place to get caught up on all things Talos from the past week. --------------------------------------------- https://blog.talosintelligence.com/2019/04/threat-source-april-18-new-attac… ∗∗∗ DNS Hijacking Abuses Trust In Core Internet Service ∗∗∗ --------------------------------------------- Authors: Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres.Update 4/18: A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistancePrefaceThis blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the [...] --------------------------------------------- https://blog.talosintelligence.com/2019/04/seaturtle.html ∗∗∗ What did Ransomware do in March? ∗∗∗ --------------------------------------------- According to the monitoring of 360 Brain of Safety, the overall attack trend of Ransomware in March is relatively stable. There is no new large-scale...The post What did Ransomware do in March? appeared first on 360 Total Security Blog. --------------------------------------------- https://blog.360totalsecurity.com/en/what-did-ransomware-do-in-march/ ∗∗∗ Daily Emotet IoCs and Notes for 04/17-18/19 ∗∗∗ --------------------------------------------- Emotet Malware Document links/IOCs for 04/17-18/19 as of 04/19/19 02:00 EDTNotes and Credits now at the bottom Follow us on twitter @cryptolaemus1 for more updates.Epoch 1 Document/Downloader links seen for [...] --------------------------------------------- https://paste.cryptolaemus.com/emotet/2019/04/18/18-emotet-malware-IoCs_04-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (atomic-reactor and osbs-client), openSUSE (libqt5-qtbase, lxc, tar, wget, and xmltooling), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (php5), and Ubuntu (znc). --------------------------------------------- https://lwn.net/Articles/786299/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos TM1 (CVE-2018-3180, CVE-2018-12547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Insight (CVE-2018-3180, CVE-2018-12547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2019
by Daily end-of-shift report 18 Apr '19

18 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-04-2019 18:00 − Donnerstag 18-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RevengeRAT Distributed via Bit.ly, BlogSpot, and Pastebin C2 Infrastructure ∗∗∗ --------------------------------------------- A malicious campaign targeting entities from North America, Europe, Asia, and the Middle East during March used a combination of pages hosted on Bit.ly, BlogSpot, and Pastebin to create a command-and-control (C2) infrastructure designed to avoid getting blocked by security solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revengerat-distributed-via-b… ∗∗∗ Malware Sample Delivered Through UDF Image ∗∗∗ --------------------------------------------- So be careful with .img files! They should also be added to the list of prohibited file extensions in your mail relays or change the file association in your Windows environments to NOT open them Windowd Explorer. --------------------------------------------- https://isc.sans.edu/forums/diary/Malware+Sample+Delivered+Through+UDF+Imag… ∗∗∗ keysmix.com stiehlt Steam-Accounts ∗∗∗ --------------------------------------------- Gamer/innen aufgepasst: Auf Steam kommt es momentan zu Phishing-Versuchen. Accounts aus dem eigenen Freundeskreis versenden Nachrichten, die ein gratis Spiel für Neuanmeldungen versprechen. Die Links führen zu keysmix.com. Wer sich auf der Website mit dem Steam-Login anmeldet, wird Opfer eines Datendiebstahls und verliert den eigenen Steam-Account. --------------------------------------------- https://www.watchlist-internet.at/news/keysmixcom-stiehlt-steam-accounts/ ∗∗∗ media-shopping.org – zu schön, um wahr zu sein ∗∗∗ --------------------------------------------- Im Online-Shop media-shopping.org finden Sie Elektroartikel zu unschlagbaren Preisen. Zusätzlich erhalten Sie auf Ihre Bestellung angeblich einen Rabatt von 30 Euro. Ein Angebot dieser Art ist leider zu schön, um wahr zu sein! media-shopping.org ist ein Fake-Shop, der keine Ware liefert. --------------------------------------------- https://www.watchlist-internet.at/news/media-shoppingorg-zu-schoen-um-wahr-… ===================== = Vulnerabilities = ===================== ∗∗∗ Broadcom WiFi chipset drivers contain multiple vulnerabilities ∗∗∗ --------------------------------------------- The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow. In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities --------------------------------------------- https://www.kb.cert.org/vuls/id/166939/ ∗∗∗ OpenSSH 8.0 released ∗∗∗ --------------------------------------------- This release contains mitigation for a weakness in the scp(1) tool and protocol (CVE-2019-6111): when copying files from a remote system to a local directory, scp(1) did not verify that the filenames that the server sent matched those requested by the client. This could allow a hostile server to create or clobber unexpected local files with attacker-controlled content. --------------------------------------------- https://lwn.net/Articles/786236/ ∗∗∗ Sicherheitsupdates: Mehrere Lücken in Drupal geschlossen ∗∗∗ --------------------------------------------- In aktualisierten Versionen haben die Drupal-Entwickler Schwachstellen geschlossen. Der Bedrohungsgrad gilt als "mittelschwer". --------------------------------------------- https://heise.de/-4402364 ∗∗∗ Wichtige Sicherheitsupdates für Cisco Wireless LAN Controller & Co. ∗∗∗ --------------------------------------------- Cisco hat jede Menge Patches für verschiedene Netzwerkgeräte veröffentlicht. Nur eine Schwachstelle gilt als "kritisch". --------------------------------------------- https://heise.de/-4402425 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (polkit), Gentoo (dovecot, libseccomp, and patch), openSUSE (aubio, blktrace, flac, lxc, lxcfs, pspp, SDL, sqlite3, and xen), Red Hat (java-1.8.0-openjdk, java-11-openjdk, and rh-maven35-jackson-databind), Scientific Linux (java-1.8.0-openjdk), Slackware (libpng), SUSE (python, python3, sqlite3, and xerces-c), and Ubuntu (ntfs-3g). --------------------------------------------- https://lwn.net/Articles/786235/ ∗∗∗ BSRT-2019-002 Vulnerability in UEM Core Impacts BlackBerry UEM ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM Java Runtime could affect DB2 Query Management Facility (CVE-2018-12547, CVE-2019-2426, CVE-2018-1890, CVE-2018-12549, CVE-2018-11212) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM Java Runtime which affects DataQuant for z/OS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM NeXtScale Fan Power Controller (FPC) is affected by vulnerability in OpenSSL (CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-nextscale-fan-pow… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Sterling Connect:Express for UNIX (CVE-2018-0734 and CVE-2018-5407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in OpenSSL (CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-integrated-manage… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in GNU glibc (CVE-2018-11236) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Information Exposure (CVE-2018-1729) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vu… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Packet Capture is vulnerable to publicly disclosed vulnerabilities from [All] Python (CVE-2018-1060, CVE-2018-1061) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-pa… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Packet Capture is vulnerable to a Publicly disclosed vulnerability from GNU glibc (CVE-2018-11237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-pa… ∗∗∗ IBM Security Bulletin: IBM QRadar Network Packet Capture is vulnerable to publicly disclosed vulnerabilities from OpenSSL (CVE-2018-0739, CVE-2018-0732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-network-pa… ∗∗∗ BIG-IP URL classification vulnerability CVE-2019-6610 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42465020 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2019
by Daily end-of-shift report 17 Apr '19

17 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-04-2019 18:00 − Mittwoch 17-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Microsoft Edge to Warn Users When in Administrator Mode ∗∗∗ --------------------------------------------- The upcoming Chromium-based Microsoft Edge browser will warn users when they launch the browser with administrative privileges and suggest that they relaunch the browser as a non-administrator. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-microsoft-edge-to-warn-u… ∗∗∗ Subdomain Takeover: Microsoft verliert Kontrolle über Windows-Kacheln ∗∗∗ --------------------------------------------- Mit einem Service von Microsoft konnten Webseiten Neuigkeiten auf Windows-Kacheln als sogenannte Windows Live Tiles darstellen. Den Service gibt es nicht mehr, die zugehörige Subdomain konnten wir übernehmen und eigene Kachelinhalte anzeigen. --------------------------------------------- https://www.golem.de/news/subdomain-takeover-microsoft-verliert-kontrolle-u… ∗∗∗ Angriffe auf Confluence - Patch-Stand checken ∗∗∗ --------------------------------------------- Das DFN-CERT warnt vor verstärkten Angriffen auf den Collaboration-Service Confluence. Die nutzen Lücken aus, für die es bereits Patches gibt --------------------------------------------- https://heise.de/-4401658 ∗∗∗ A third-party patch for Microsoft’s Internet Explorer zero-day vulnerability ∗∗∗ --------------------------------------------- Don’t want to wait for Microsoft to fix the problem in how Internet Explorer handles .MHT files? Other security researchers come to the rescue. --------------------------------------------- https://www.grahamcluley.com/third-party-patch-internet-explorer/ ∗∗∗ Betrügerische Job-Angebote führen zu Identitätsdiebstahl und Geldwäsche! ∗∗∗ --------------------------------------------- Immer wieder stoßen Konsument/innen auf verlockende Job-Angebote bei vermeintlichen Marktforschungsinstituten. Als solches stellte sich auch webspection.de dar. Für die Teilnahme an der ersten Umfrage – ein angeblicher Test des Video-Ident-Verfahrens IDnow – mussten Interessent/innen Ausweise und Dokumente an die kriminellen Betreiber/innen weiterleiten. Die Folge: Betrüger/innen verfügen über ein Konto im Namen der Betroffenen und nutzen dieses zur --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-job-angebote-fuehren-… ===================== = Vulnerabilities = ===================== ∗∗∗ Evernote Fixes Remote Code Execution Vulnerability in macOS App ∗∗∗ --------------------------------------------- A local file path traversal vulnerability which allows attackers to run arbitrary code on their targets Macs remotely was fixed by Evernote after receiving a report from security researcher Dhiraj Mishra. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evernote-fixes-remote-code-e… ∗∗∗ Sicherheitslücke: EA Origin führte Schadcode per Link aus ∗∗∗ --------------------------------------------- Ein Klick auf den falschen Link konnte genügen: Die Spieleplattform EA Origin führte über präparierte Links beliebige Software oder Schadcode aus. Auch die Konten der Spieler konnten auf diese Weise übernommen werden. (Origin, Phishing) --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-ea-origin-fuehrte-schadcode-per… ∗∗∗ Delta Industrial Automation CNCSoft ∗∗∗ --------------------------------------------- This advisory includes mitigations for heap-based buffer overflow, out-of-bounds read, and stack-based buffer overflow vulnerabilities reported in Delta Electronics Delta Industrial Automation CNCSoft ScreenEditor software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-106-01 ∗∗∗ Oracle Critical Patch Update Advisory - April 2019 ∗∗∗ --------------------------------------------- Java, MySQL, Solairs, VirtualBox uvam. --------------------------------------------- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html ∗∗∗ Security Advisory - Information Disclosure Vulnerability on Smartphones ∗∗∗ --------------------------------------------- There is an information disclosure vulnerability on certain Huawei smartphones. An attacker could view the photos after a series of operation without unlock the screen lock. Successful exploit could cause an information disclosure condition. --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190417-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (mod_auth_mellon), Debian (ghostscript and ruby2.3), openSUSE (dovecot22, gnuplot, and openwsman), Scientific Linux (mod_auth_mellon), SUSE (krb5, openexr, python3, and wget), and Ubuntu (firefox and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/786157/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects AIX (CVE-2019-1559) Security Bulletin ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-open… ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to a denial of service attack within the TLS key renegotiation functions (CVE-2019-4055) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-and-ibm-mq-app… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in OpenSSL (CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2019
by Daily end-of-shift report 16 Apr '19

16 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Montag 15-04-2019 18:00 − Dienstag 16-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Behavioural aspects of cybersecurity ∗∗∗ --------------------------------------------- Technical cybersecurity measures do not exist in a vacuum and need to operate in harmony with people. Against this backdrop, ENISA publishes a report comprising four evidence-based reviews of human aspects of cybersecurity: two based on the use and effectiveness of models from social science, one on qualitative studies, and one on current practice within organisations. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/behavioural-aspects-of-cybersec… ∗∗∗ The Outlook Winner is Dash ∗∗∗ --------------------------------------------- When trying to abuse the Office groups, I stepped on a single character group Dash “-”. At first, I reserved the group Dash for the mail -(a)example.com as it is somewhat uncommon to see a single “special” character mail address. The next morning (after the creation of this group), I had already received 5 mails. --------------------------------------------- https://blog.ettic.ca/the-outlook-winner-is-dash-ac15dbc4098d ∗∗∗ Adobe Flash security tool Flashmingo debuts in open source community ∗∗∗ --------------------------------------------- In order to maintain adequate levels of security for Flash until its demise, a balance has to be met between spending time and resources auditing the software and the need for analysis. To assist the cause, cybersecurity firm FireEye has released Flashmingo, a framework for the automatic analysis of SWF files. --------------------------------------------- https://www.zdnet.com/article/security-tool-for-flash-flashmingo-released-t… ∗∗∗ Scranos: New Rapidly Evolving Rootkit-Enabled Spyware Discovered ∗∗∗ --------------------------------------------- ... the malware gains persistence on infected machines by installing a digitally-signed rootkit driver. Researchers believe attackers obtained the valid digital code-signing certificate fraudulently, which was originally issued to Yun Yu Health Management Consulting (Shanghai) Co., Ltd. and has not been revoked at the time of writing. --------------------------------------------- https://thehackernews.com/2019/04/scranos-rootkit-spyware.html ===================== = Vulnerabilities = ===================== ∗∗∗ New Malicious Medical DICOM Image Files Cause HIPAA Headache ∗∗∗ --------------------------------------------- Malicious DICOM files can be crafted to contain both CT and MRI scan imaging data and potentially dangerous PE executables, a process which can be used by threat actors to hide malware inside seemingly harmless files. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malicious-medical-dicom-… ∗∗∗ Adblock Plus Filters Can Be Exploited to Run Malicious Code ∗∗∗ --------------------------------------------- An exploit has been discovered that could allow ad blocking filter list maintainers for the Adblock Plus, AdBlock, and uBlocker browser extensions to create filters that inject remote scripts into web sites. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/adblock-plus-filters-can-be-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti and libxslt), Fedora (pcsc-lite and samba), Gentoo (gnutls, phpmyadmin, and tiff), openSUSE (apache2, clamav, dovecot23, nodejs10, SDL, and webkit2gtk3), Red Hat (mod_auth_mellon and rh-python36-python), SUSE (firefox, nspr, nss and python), and Ubuntu (libxslt and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/786106/ ∗∗∗ IBM Security Bulletin: A Vulnerability in IBM Java Runtime Affects IBM Sterling Connect:Direct for Microsoft Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: IBM Planning Analytics Local is affected by multiple vulnerabilities (CVE-2018-12116, CVE-2018-12121, CVE-2018-12122, CVE-2018-12123) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-planning-analytic… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in GNU glibc (CVE-2017-15804 CVE-2017-15670 CVE-2015-5180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in PHP (CVE-2018-14851 CVE-2017-9118) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in python (CVE-2018-1061 CVE-2018-1060 CVE-2016-5636) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: Security vulnerability in Apache FOP affects IBM® Rational® Quality Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ glibc vulnerability CVE-2019-9169 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54823184 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2019
by Daily end-of-shift report 15 Apr '19

15 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-04-2019 18:00 − Montag 15-04-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers could read non-corporate Outlook.com, Hotmail for six months ∗∗∗ --------------------------------------------- Hackers and Microsoft seem to disagree on key details of the hack. --------------------------------------------- https://arstechnica.com/?p=1491071 ∗∗∗ Sicherheitslücken und mangelnder Datenschutz: Microsoft patzt bei Office 365 ∗∗∗ --------------------------------------------- Viele Unternehmen sind bereits auf Office 365 umgestiegen. Doch Microsoft schlampt beim Datenschutz und hält sich nicht an Sicherheitsstandards. --------------------------------------------- http://heise.de/-4398584 ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Shimo VPNs helper tool ∗∗∗ --------------------------------------------- Discovered by Tyler Bohan of Cisco Talos.OverviewCisco Talos is disclosing a series of vulnerabilities found in the Shimo VPN Helper Tool. Shimo VPN is a popular VPN client for MacOS that can be used to connect multiple VPN accounts to one application. These specific vulnerabilities were found in the "helper tool", a feature that Shimo VPN uses to accomplish some of its privileged work.These vulnerabilities are being released without a patch, per our disclosure policy, after [...] --------------------------------------------- https://blog.talosintelligence.com/2019/04/vulnerability-spotlight-multiple… ∗∗∗ Tic Toc Pwned ∗∗∗ --------------------------------------------- We were recently tipped off that the Australian Tic Toc Track watch was almost undoubtedly just a version of the Gator kids GPS tracking watch. That's the tracker watch which leaked real time kids position data to anyone, it also allowed anyone to silently listen to children through the watch. Creepy! It all started with [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/tic-toc-pwned/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick, jasper, and libssh2), Fedora (kernel, kernel-headers, kernel-tools, nodejs-simple-markdown, and php), openSUSE (netpbm and xen), and SUSE (audiofile, firefox, java-1_7_0-openjdk, libvirt, openssh, and systemd). --------------------------------------------- https://lwn.net/Articles/786031/ ∗∗∗ Security Advisory - Digital Signature Verification Bypass Vulnerability in Some Huawei Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190320-… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-3880 in Samba affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: IBM Algo Credit Manager Is Affected by a Denial of Service Vulnerability in WebSphere Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-algo-credit-manag… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2019
by Daily end-of-shift report 12 Apr '19

12 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-04-2019 18:00 − Freitag 12-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 0day im Internet Explorer: Dateidiebstahl auf Windows-PCs ∗∗∗ --------------------------------------------- Ein Problem im Internet-Explorer gefährdet alle Windows-Nutzer – auch wenn sie den Zombie-Browser nicht nutzen. Microsoft will das jedoch nicht patchen. --------------------------------------------- http://heise.de/-4398797 ∗∗∗ Messenger: Matrix.org-Server gehackt ∗∗∗ --------------------------------------------- Mit Matrix.org ist einer der am meisten genutzten Server des Messengers Matrix gehackt worden. Betroffene sollten umgehend ihr Passwört ändern. Auch der vermeintliche Angreifer gibt Sicherheitstipps auf Github. (Matrix, Instant Messenger) --------------------------------------------- https://www.golem.de/news/messenger-matrix-org-server-gehackt-1904-140655-r… ∗∗∗ Bad news, everyone! New [BGP] hijack attack in the wild ∗∗∗ --------------------------------------------- With this article, we want to show an example of the attack where not only the true attacker was under the question, but the whole list of affected prefixes. Moreover, it again raises concerns about the possible motives for the future attack of this type. --------------------------------------------- https://habr.com/en/company/qrator/blog/447776/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vuln: Multiple VMware Products CVE-2019-5516 Out of Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- VMWare Workstation, VMWare Fusion, VMWare Esxi Multiple VMware products are prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information or cause denial-of-service condition. --------------------------------------------- http://www.securityfocus.com/bid/107878 ∗∗∗ Vuln: Oracle April 2019 Critical Patch Update Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Oracle has released advance notification regarding the April 2019 Critical Patch Update (CPU) to be released on April 16, 2019. The update addresses 296 vulnerabilities --------------------------------------------- http://www.securityfocus.com/bid/107875 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (freerdp, kernel, openssh, and python), Fedora (checkstyle), openSUSE (bluez, file, kernel, and libarchive), SUSE (apache2, curl, ghostscript, libvirt, openssh, and systemd), and Ubuntu (rssh). --------------------------------------------- https://lwn.net/Articles/785841/ ∗∗∗ WAGO Undocumented service access in Series 750-88x and 750-87x devices ∗∗∗ --------------------------------------------- CVE Identifier CVE-2019-10712 Severity 9.8 (CVSS:3.0:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-008 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services for Multi-Platform v2.1.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK Affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Algo Credit Manager Is Affected by a Pivotal Spring Framework Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-algo-credit-manag… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in cURL (CVE-2018-16840 CVE-2018-16842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in OpenSSH (CVE-2018-15473) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and IBM Watson Content Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in python (CVE-2018-14647) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerability in PHP (CVE-2018-17082) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ IBM Security Bulletin: IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in X.Org libx11 (CVE-2018-14599 CVE-2018-14598) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-bladecenter-advan… ∗∗∗ Apache Thrift vulnerability CVE-2018-1320 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36361684 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2019
by Daily end-of-shift report 11 Apr '19

11 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-04-2019 18:00 − Donnerstag 11-04-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Introducing the security configuration framework: A prioritized guide to hardening Windows 10 ∗∗∗ --------------------------------------------- The security configuration framework is designed to help simplify security configuration while still allowing enough flexibility to allow you to balance security, productivity, and user experience. We are defining discrete prescriptive Windows 10 security configurations (levels 5 through 1) to meet many of the common device scenarios we see today in the enterprise. --------------------------------------------- https://www.microsoft.com/security/blog/2019/04/11/introducing-the-security… ∗∗∗ Selfie: reflections on TLS 1.3 with PSK ∗∗∗ --------------------------------------------- TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed Pre Shared Key (PSK). ... We identify a security vulnerability in this TLS 1.3 path, by showing a new reflection attack that we call ``Selfie. The Selfie attack breaks the mutual authentication. It leverages the fact that TLS does not mandate explicit authentication of the server and the client in every message. --------------------------------------------- https://eprint.iacr.org/2019/347 ∗∗∗ Amazon-Phishing-Mail im Umlauf ∗∗∗ --------------------------------------------- Kriminelle geben sich als amazon-Kundenservice aus und versuchen persönliche Daten abzugreifen. Angeblich arbeitet amazon derzeit daran, den Kundendatenschutz zu verbessern und bittet um die Überprüfung der persönlichen Kontodaten. Folgen Nutzer/innen den Anweisungen, übmittlen sie Betrüger/innen sämtliche Daten. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-phishing-mail-im-umlauf/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#192371: Multiple VPN applications insecurely store session cookies ∗∗∗ --------------------------------------------- Virtual Private Networks(VPNs)are used to create a secure connection with another network over the internet. Multiple VPN applications store the authentication and/or session cookies insecurely in memory and/or log files. CWE-311:Missing Encryption of Sensitive Data The following products and versions store the cookie insecurely in log files: - Palo Alto Networks GlobalProtect prior to 4.1.0(CVE-2019-15373)- Pulse Secure Connect Secure prior to 8.1R14,8.2,8.3R6,and 9.0R2 The following products [...] --------------------------------------------- https://kb.cert.org/vuls/id/192371 ∗∗∗ Dragonblood: Angreifer können bei WPA3 unter Umständen WLAN-Passwörter knacken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in der WPA3-Personal-Anmeldung von WLANs erlauben es Angreifern unter bestimmten Umständen, den Traffic von Geräten abzuhören. --------------------------------------------- http://heise.de/-4393108 ∗∗∗ Juniper Networks fixt teils kritische Schwachstellen ∗∗∗ --------------------------------------------- Zahlreiche Netzwerkgeräte von Juniper sind anfällig für Remote-Angriffe. Der Hersteller hat Sicherheitshinweise und Updates veröffentlicht. --------------------------------------------- http://heise.de/-4397797 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache, evolution, gnutls, and thunderbird), Debian (wpa), Gentoo (git), Mageia (dovecot, flash-player-plugin, gpac, gpsd, imagemagick, koji, libssh2, libvirt, mariadb, ming, mumble, ntp, python, python3, squirrelmail, and wget), openSUSE (apache2), Red Hat (httpd24-httpd and httpd24-mod_auth_mellon), SUSE (libqt5-qtbase, openldap2, tar, and xmltooling), and Ubuntu (ruby1.9.1, ruby2.0, ruby2.3, ruby2.5 and wpa). --------------------------------------------- https://lwn.net/Articles/785676/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2019-0002.html ∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal(V5) is impacted by a critical local file Inclusion vulnerability (CVE-2019-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve… ∗∗∗ IBM Security Bulletin: IBM Cloud Kubernetes Service is affected by a CNI security vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-kubernetes-… ∗∗∗ IBM Security Bulletin: IBM API Connect’s Developer Portal(V5) is vulnerable to command injection (CVE-2019-4202) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connects-deve… ∗∗∗ IBM Security Bulletin: Security vulnerability in FlexNet Publisher affects IBM Rational License Key Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services for Multi-Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Check Services for Multi-Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A security vulnerabiltiy has been addressed in IBM Cognos Analytics (CVE-2019-4178) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability (CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-appliance-is-a… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer used in IBM Business Automation Workflow, IBM Business Process Manager, and IBM WebSphere Lombardi Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ BIG-IP APM URL classification vulnerability CVE-2019-6610 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42465020 ∗∗∗ HPESBHF03912 rev.2 - Certain HPE Servers with a UEFI-based BIOS, Multiple Local Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Apache Tomcat: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0306 ∗∗∗ Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0305 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2019
by Daily end-of-shift report 10 Apr '19

10 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-04-2019 18:00 − Mittwoch 10-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Analysis of a targeted attack exploiting the WinRar CVE-2018-20250 vulnerability ∗∗∗ --------------------------------------------- A complex attack chain incorporating the CVE-2018-20250 exploit and multiple code execution techniques attempted to run a fileless PowerShell backdoor that could allow an adversary to take full control of compromised machines. --------------------------------------------- https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-a… ∗∗∗ Pentesting: Nutzen, Rechtliches und Kosten ∗∗∗ --------------------------------------------- Immer mehr Schwachstellen in Produkten des täglichen Bedarfs wie intelligenten Appliances, Routern und anderen verbundenen Geräten werden publik und Benutzer beginnen die zugrunde liegenden Verfahren (oder deren Fehlen) zu hinterfragen, um ihre privaten Informationen zu schützen. Hier finden Sie eine wichtige und effiziente Methode zur Verbesserung des Sicherheitsniveaus von Netzwerken und diversen Anwendungen. --------------------------------------------- https://sec-consult.com/blog/2019/04/pentesting-nutzen-rechtliches-und-kost… ∗∗∗ A Peek Into the Toolkit of the Dangerous Triton Hackers ∗∗∗ --------------------------------------------- Security firm FireEye is naming a collection of tools it says might help identify more of the digital saboteurs intrusions. --------------------------------------------- https://www.wired.com/story/triton-hacker-toolkit-fireeye ∗∗∗ Umfrage: Unternehmen unterschätzen Gefahr durch Cyber-Sicherheitsvorfälle ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Cyber-Siche… ===================== = Vulnerabilities = ===================== ∗∗∗ Its raining patches, Hallelujah! Microsoft and Adobe put out their latest major fixes ∗∗∗ --------------------------------------------- Hefty patch Tuesday checks in at just under 100 CVEs. For Microsoft, the monthly flaw folder fixes for a total of 74 CVE-listed security bugs in Windows and Office. Of those, 33 are flaws which, if exploited, would allow the attacker to achieve remote code execution. Adobe, meanwhile, has kicked out updates for Acrobat and Reader that address 21 remote code execution flaws in the PDF app. Flash Player also got an update this month. For SAP, the month brings 11 security updates. --------------------------------------------- https://www.theregister.co.uk/2019/04/09/patch_tuesday_april/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (samba and spip), openSUSE (samba), Red Hat (flash-plugin), Scientific Linux (kernel and openssh), SUSE (clamav and xen), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/785466/ ∗∗∗ Vuln: WordPress Wordfence Plugin Unspecified Cross Site Scripting Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/107804 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server in IBM Cloud January 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: BigFix WebUI is affected by vulnerabilities CVE-2019-4013 and CVE-2019-4012 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-bigfix-webui-is-affec… ∗∗∗ IBM Security Bulletin: IBM MQ Console is vulnerable to a man in the middle attack (CVE-2018-1925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-console-is-vul… ∗∗∗ IBM Security Bulletin: BigFix Platform 9.2.x affected by multiple vulnerabilities (CVE-2017-1231, CVE-2018-5407, CVE-2012-5883, CVE-2012-6708, CVE-2015-9251) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-bigfix-platform-9-2-x… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in WebSphere Application Server Liberty affect IBM Spectrum Protect for Workstations Central Administration Console (CVE-2014-7810, CVE-2018-8039, CVE-2018-1901) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2019
by Daily end-of-shift report 09 Apr '19

09 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Montag 08-04-2019 18:00 − Dienstag 09-04-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ShadowHammer-Angriffe zielten auch auf die Gaming-Industrie ∗∗∗ --------------------------------------------- Die Shadowhammer-Attacken 2018 trafen neben ASUS mindestens drei asiatische Spielehersteller. Und damit auch die Rechner von mindestens 96.000 Gamern. --------------------------------------------- http://heise.de/-4367681 ∗∗∗ Duqu Remained Active After Operations Were Exposed in 2011 ∗∗∗ --------------------------------------------- The discovery of Duqu 1.5 shows that the threat actor behind the malware did not go dark — as previously believed — after their operations were exposed by security researchers in 2011. read more --------------------------------------------- https://www.securityweek.com/duqu-remained-active-after-operations-were-exp… ∗∗∗ Probleme bei Buchungen über galahotels.com ∗∗∗ --------------------------------------------- Vorsicht bei Hotelbuchungen über galahotels.com. Uns liegen zahlreiche Berichte zu ausbleibenden Rückzahlungen nach Stornierung und anderen Problemen vor. In den schlimmsten Fällen stehen Betroffene ohne Unterkunft am Zielort da. Da das Unternehmen den Sitz in der Türkei hat, ist eine Rechtsdurchsetzung oft schwierig und der einzige Weg zum eigenen Geld führt häufig über den Kreditkartenanbieter. --------------------------------------------- https://www.watchlist-internet.at/news/probleme-bei-buchungen-ueber-galahot… ∗∗∗ Betrügerische Billa- und Amazon-Umfragen locken in Abo-Falle! ∗∗∗ --------------------------------------------- Vorsicht vor gefälschten E-Mails im Namen von Amazon und Billa, die für die Teilnahme an einer Umfrage Belohnungen versprechen. Konsument/innen, die den Buttons in den Mails folgen, landen auf gefälschten Websites der Unternehmen. Wer die eigenen Daten bekanntgibt, rutscht in eine Abo-Falle und erhält die versprochenen iPhone XS, Samsung Galaxy S10+ oder Gutscheine nie! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-billa-und-amazon-umfr… ∗∗∗ Aktuelle Malspam Kampagne ∗∗∗ --------------------------------------------- CERT.at möchte auf eine aktuelle Malspam-Kampagne hinweisen zu der wir aus ganz Österreich Anfragen erhalten haben. Beschreibung Der Betreff der E-Mails enhält einen Hinweis darauf, dass es sich um eine Rechnung oder einen Scan handelt. Der From-Header ist gefälscht und enthält als angezeigten Namen den lokalen Part der Domäne an die die E-Mail geht. Der Linktext scheint auf ein internes .doc-Dokument zu verweisen, de facto [...] --------------------------------------------- http://www.cert.at/services/blog/20190409151309-2416.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB19-17), Adobe Flash Player (APSB19-19), Adobe Shockwave player (APSB19-20), Adobe Dreamweaver (APSB19-21), Adobe XD (APSB19-22), Adobe InDesign (APSB19-23) ,Adobe Experience Manager Forms (APSB19-24) and Adobe Bridge CC (APSB19-25). --------------------------------------------- https://blogs.adobe.com/psirt/?p=1735 ∗∗∗ DLL injection in Go < 1.12.2 [CVE-2019-9634] ∗∗∗ --------------------------------------------- Golang before 1.12.2 linked against various DLLs that were same-directory injectable and generally its library loading mechanism did not use LoadLibraryEx, allowing the classic DLL injection attacks, especially with regards to executables saved to the Downloads/ folder --------------------------------------------- https://www.openwall.com/lists/oss-security/2019/04/09/1 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (poppler, proftpd-dfsg, suricata, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and wget), Gentoo (clamav, emerge-delta-webrsync, and mailman), openSUSE (bash), Red Hat (kernel and openssh), Scientific Linux (python), SUSE (gnuplot, libtcnative-1-0, and sqlite3), and Ubuntu (clamav, lua5.3, openjdk-7, samba, systemd, and wget). --------------------------------------------- https://lwn.net/Articles/785367/ ∗∗∗ Synology-SA-19:15 Samba ∗∗∗ --------------------------------------------- CVE-2019-3880 allows remote authenticated users to create arbitrary files or obtain sensitive information via a susceptible version of DiskStation Manager (DSM) and Synology Router Manager (SRM).None of Synology products are affected by CVE-2019-3870 as the vulnerability only affect Samba 4.9.0 and later. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_15 ∗∗∗ [20190403] - Core - Object.prototype pollution in JQuery $.extend ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/779-20190403-core-object-proto… ∗∗∗ [20190402] - Core - Helpsites refresh endpoint callable for unauthenticated users ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/778-20190402-core-helpsites-re… ∗∗∗ [20190401] - Core - Directory Traversal in com_media ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/777-20190401-core-directory-tr… ∗∗∗ IBM Security Bulletin: BigFix Platform 9.5.x affected by multiple vulnerabilities (CVE-2019-4013, CVE-2018-5407, CVE-2012-5883, CVE-2012-6708, CVE-2015-9251) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-bigfix-platform-9-5-x… ∗∗∗ SSA-141614 (Last Update: 2019-04-09): Denial-of-Service in SIMOCODE pro V EIP ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-141614.txt ∗∗∗ SSA-307392 (Last Update: 2019-04-09): Denial-of-Service in OPC UA in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-307392.txt ∗∗∗ SSA-324467 (Last Update: 2019-04-09): OS Command Injection in Spectrum Power 4.7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-324467.txt ∗∗∗ SSA-436177 (Last Update: 2019-04-09): Multiple Vulnerabilities in SINEMA Remote Connect ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-436177.txt ∗∗∗ SSA-451142 (Last Update: 2019-04-09): Multiple Vulnerabilities in RUGGEDCOM ROX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-451142.txt ∗∗∗ SSA-480230 (Last Update: 2019-04-09): Denial-of-Service in Webserver of Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-480230.txt ∗∗∗ GnuTLS vulnerability CVE-2015-0294 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54022413 ∗∗∗ GnuTLS vulnerability CVE-2014-8155 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53330207 ∗∗∗ SAP Basic Components (BC): Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0279 ∗∗∗ Symantec Endpoint Encryption: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0281 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2019
by Daily end-of-shift report 08 Apr '19

08 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-04-2019 18:00 − Montag 08-04-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ThinkPHP 5.x - Remote Code Execution Actively Exploited In The Wild ∗∗∗ --------------------------------------------- Earlier this year, we noticed an increase in attacks aiming at ThinkPHP. ThinkPHP is a PHP framework that is very popular in Asia. If you keep track of your site’s activity, the following log may look familiar: ]]> --------------------------------------------- http://labs.sucuri.net/?note=2019-04-08 ===================== = Vulnerabilities = ===================== ∗∗∗ SQL Injection in Duplicate-Page WordPress Plugin ∗∗∗ --------------------------------------------- While investigating the Duplicate Page plugin we have discovered a dangerous SQL Injection vulnerability. It was not being abused externally and impacts over 800,000 sites. It’s urgency is defined by the associated DREAD score that looks at damage, reproducibility, exploitability, affected users, and discoverability. A key contributor to the criticality of this vulnerability is that it’s exploitable by any users with an account on the vulnerable site (regardless of the privileges --------------------------------------------- https://blog.sucuri.net/2019/04/sql-injection-in-duplicate-page-wordpress-p… ∗∗∗ Jetzt patchen: Sicherheitssoftware von Trend Micro birgt kritische Schwachstelle ∗∗∗ --------------------------------------------- Updates für Apex One, OfficeScan und Worry-Free Business Security schützen unter anderem vor Remote-Angriffen. Nutzer sollten die Software zügig aktualisieren. --------------------------------------------- http://heise.de/-4365964 ∗∗∗ Via Dovecot zu Root-Rechten ∗∗∗ --------------------------------------------- Die Entwickler des Linux-Mailservers Dovecot haben einen Fehler gefunden und beseitigt, über den sich ein Angreifer Root-Rechte verschaffen könnte. --------------------------------------------- http://heise.de/-4366806 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (roundup, samba, tryton-server, and wget), Fedora (evolution-data-server, evolution-ews, glpi, ntp, poppler, pspp, and wget), Mageia (advancecomp, cfitsio, firefox, ghostscript, gnutls, libjpeg, libpng, ocaml, python-yaml, ruby-ox, SDL12, and thunderbird), openSUSE (adcli, sssd, go1.11, liblouis, nodejs6, openssl, ovmf, sqlite3, sysstat, thunderbird, tiff, and znc), Red Hat (chromium-browser and python), Slackware (httpd, openjpeg, and wget), SUSE --------------------------------------------- https://lwn.net/Articles/785238/ ∗∗∗ Samba: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- CB-K19/0277: Samba: Mehrere Schwachstellen ermöglichen Manipulation von Dateien --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0277 ∗∗∗ IBM Security Bulletin: IBM InfoSphere Metadata Asset Manager is affected by an SQL Injection vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-metada… ∗∗∗ IBM Security Bulletin: IBM Sterling Connect:Direct for UNIX Allows a User with Sudo Access Restricted to Certain Connect:Direct Executable Files to Expand Access Beyond the Restriction (CVE-2018-1903) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-sterling-connectd… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-1871) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… ∗∗∗ IBM Security Bulletin: A reflected cross-site scripting (XSS) vulnerability affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-reflected-cross-sit… ∗∗∗ HPESBHF03916 rev.1 - HPE Virtual Connect SE 16Gb Fibre Channel Module for Synergy, Local or Remote Unauthorized Elevation of Privilege ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2019
by Daily end-of-shift report 05 Apr '19

05 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-04-2019 18:00 − Freitag 05-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ This Preinstalled Mobile Security App Delivered Vulnerabilities, Not Protection ∗∗∗ --------------------------------------------- No. 4 global phone maker, Xiaomi, preinstalled a security app called ‘Guard Provider’ that had a major flaw. --------------------------------------------- https://threatpost.com/this-preinstalled-mobile-security-app-delivered-vuln… ∗∗∗ Spammed PNG file hides LokiBot ∗∗∗ --------------------------------------------- Recently we came across a spam message from our traps that looked truly odd when viewed from our Secure Email Gateway console. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/spammed-png… ∗∗∗ The evolution of phishing kits ∗∗∗ --------------------------------------------- Gone are the days when a phishing page was a single page designed to capture user credentials. Phishing kits have become sophisticated and advanced to evade detection and look more legitimate to the user. In this blog, .. --------------------------------------------- https://www.zscaler.com/blogs/research/evolution-phishing-kits ∗∗∗ Hiding in Plain Sight ∗∗∗ --------------------------------------------- Cisco Talos is continually working to ensure that our threat intelligence not only accounts for the latest threats but also new versions of old threats, such as spam. This often means pursuing cybercriminals wherever they congregate. However, instead of wheeling-and-dealing using hidden servers on .. --------------------------------------------- https://blog.talosintelligence.com/2019/04/hiding-in-plain-sight.html ∗∗∗ Ongoing DNS hijacking campaign targeting consumer routers ∗∗∗ --------------------------------------------- Over the last three months, our honeypots have detected DNS hijacking attacks targeting various types of consumer routers. All exploit attempts have originated from hosts on the network of Google Cloud Platform (AS15169). In this campaign, we’ve identified four distinct rogue DNS servers being used to redirect .. --------------------------------------------- https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-ro… ===================== = Vulnerabilities = ===================== ∗∗∗ Omron CX-Programmer ∗∗∗ --------------------------------------------- This advisory includes mitigations for a use after free vulnerability reported in Omrons CX-Programmer PLC software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01 ∗∗∗ Rockwell Automation Stratix 5400/5410 and ArmorStratix 5700 ∗∗∗ --------------------------------------------- This advisory includes mitigations for an uncontrolled resource consumption vulnerability reported in Rockwell Automations Stratix and ArmorStratix Ethernet switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-094-02 ∗∗∗ Rockwell Automation Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700 ∗∗∗ --------------------------------------------- This advisory includes mitigations for resource management errors and improper input validation vulnerabilities reported in Rockwell Automations Stratix 5400/5410/5700/8000/8300 and ArmorStratix 5700 switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-094-03 ∗∗∗ Rockwell Automation Stratix 5950 ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper input validation vulnerability reported in Rockwell Automations Stratix 5950 security appliance products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-094-04 ∗∗∗ ZDI-19-341: (0Day) Hewlett Packard Enterprise Intelligent Management Center navigationTo Expression Language Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-341/ ∗∗∗ ZDI-19-339: (0Day) Hewlett Packard Enterprise Intelligent Management Center faultStatChooseFaultType Expression Language Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-339/ ∗∗∗ ZDI-19-335: (0Day) Hewlett Packard Enterprise Intelligent Management Center perfSelectTask Expression Language Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-335/ ∗∗∗ ZDI-19-334: (0Day) Hewlett Packard Enterprise Intelligent Management Center viewBatchTaskResultDetailFact Expression Language Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-334/ ∗∗∗ HPESBHF03914 rev.1 - Certain HPE Servers with Intel Server Platform Services (SPS) Firmware, Multiple Local Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2019
by Daily end-of-shift report 04 Apr '19

04 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-04-2019 18:00 − Donnerstag 04-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Betrügerische Phishing-Mails sollen Willhaben-Login stehlen ∗∗∗ --------------------------------------------- Kriminelle geben sich als die Kleinanzeigenplattform Willhaben aus und versenden wahllos Phishing-Nachrichten. Willhaben-Nutzer/innen, die die Nachricht in ihrem Posteingang finden, werden über die erfolgreiche Veröffentlichung einer Anzeige für ein Apple Iphone Xs Max informiert. Betroffene dürfen den gefälschten Links in der Nachricht nicht folgen und keine Login-Daten eingeben, ansonsten verlieren sie ihr Willhaben-Konto an Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-phishing-mails-sollen… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiGuard/FortiOS: Unprivileged, authenticated user can change the routing settings ∗∗∗ --------------------------------------------- An external control of system vulnerability in FortiOS may allow an authenticated, regular user to change the routing settings of the device via connecting to the ZebOS component. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-18-230 ∗∗∗ HPESBHF03912 rev.1 - Certain HPE Servers with a UEFI-based BIOS, Multiple Local Vulnerabilities ∗∗∗ --------------------------------------------- Security vulnerabilities in UEFI Open Source (EDK2)-based BIOS firmware may allow escalation of privilege, information disclosure or denial of service. Vendors are releasing firmware updates to mitigate these vulnerabilities. --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, golang, and putty), Gentoo (xen), and SUSE (clamav, SM3.1, and SMS3.1). --------------------------------------------- https://lwn.net/Articles/784917/ ∗∗∗ Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV320 and RV325 Routers Weak Credential Encryption Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV320 and RV325 Routers Online Help Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: IBM API Connect Developer Portal is by Cross Site Scripting(XSS) in Drupal core (CVE-2019-6341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-devel… ∗∗∗ IBM Security Bulletin: IBM API Connect Developer Portal is affected by multiple PHP vulnerabilities (CVE-2019-9641 CVE-2019-9637 CVE-2019-9639 CVE-2019-9638) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-devel… ∗∗∗ IBM Security Bulletin: IBM API Connect Developer Portal is affected by a cross site scripting vulnerability in Drupal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-devel… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by vulnerability in the Kubernetes API server (CVE-2019-1002100) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: Spoofing vulnerability in IBM Business Automation Workflow (CVE-2019-4045) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-spoofing-vulnerabilit… ∗∗∗ IBM Security Bulletin: Cross-site request forgery vulnerability in IBM Business Automation Workflow (CVE-2018-2000) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-request-fo… ∗∗∗ IBM Security Bulletin: Information leakage in IBM Business Automation Workflow (CVE-2018-1999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-leakage-i… ∗∗∗ IBM Security Bulletin: Denial of service vulnerability in IBM Business Automation Workflow (CVE-2018-1997) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-denial-of-service-vul… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by sensitive information disclosure (CVE-2019-4051) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: External Service invocation in IBM Business Space affects IBM Business Automation Workflow and IBM Business Process Manager family products (CVE-2018-1885) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-external-service-invo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2019
by Daily end-of-shift report 03 Apr '19

03 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-04-2019 18:00 − Mittwoch 03-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malware Campaigns Sharing Network Resources: r00ts.ninja ∗∗∗ --------------------------------------------- We recently noticed an interesting example of network infrastructure resources being used over a period of time by more than one large scale malware campaign (e.g redirected traffic, cryptomining). This was discovered when reviewing sources of the various malicious domains used in a recent WordPress plugin exploit wave. --------------------------------------------- https://blog.sucuri.net/2019/04/malware-campaigns-sharing-network-resources… ∗∗∗ Hijacked Email Reply Chains ∗∗∗ --------------------------------------------- Although phishing has been around in various forms since the 1980s, our research shows it continues to evolve—and remains a major threat. These days, phishing tactics have gotten so sophisticated, it can be difficult to spot a scam—particularly in the case of hijacked email reply chains. Let's look at a concrete example. --------------------------------------------- https://www.webroot.com/blog/2019/04/03/hijacked-email-reply-chains/ ∗∗∗ Xwo - A Python-based bot scanner ∗∗∗ --------------------------------------------- Recently, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it "Xwo" - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock. --------------------------------------------- https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scann… ∗∗∗ Vorsicht vor kostenpflichtigen Ping-Anrufen mit der Vorwahl +676! ∗∗∗ --------------------------------------------- Konsument/innen erhalten momentan gehäuft Ping-Anrufe von Nummern mit der Vorwahl +676 oder 00676. Wer verpasste Anrufe derartiger Nummern auf dem Mobiltelefon findet, darf nicht zurückrufen! Es handelt sich um die Ländervorwahl des Inselstaats Tonga und ein Rückruf kann hohe Kosten verursachen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-kostenpflichtigen-ping-… ∗∗∗ T-POT integration to SISSDEN ∗∗∗ --------------------------------------------- The primary data collection mechanism at the heart of the SISSDEN project is a sensor network of honeypots. The sensor network is composed of VPS provider hosted nodes and nodes donated to the project by third-parties acting as endpoints. These VPS nodes/endpoints are not the actual honeypots [...] --------------------------------------------- https://sissden.eu/blog/tpot-integration ∗∗∗ Bashlite IoT malware upgrade lets it target WeMo home automation devices ∗∗∗ --------------------------------------------- New Bashlite version not widely detected, but was spotted infecting devices in the wild. --------------------------------------------- https://www.zdnet.com/article/bashlite-iot-malware-upgrade-lets-it-target-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- This advisory includes mitigations for command injection, stack-based buffer overflow, and improper access control vulnerabilities reported in Advantechs WebAccess SCADA software platform. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-092-01 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2), Fedora (edk2 and tomcat), openSUSE (ansible, ghostscript, lftp, libgxps, libjpeg-turbo, libqt5-qtimageformats, libqt5-qtsvg, libssh2_org, openssl-1_0_0, openwsman, pdns, perl-Email-Address, putty, python-azure-agent, python-cryptography, python-pyOpenSSL, python-Flask, thunderbird, tor, unzip, and wireshark), Scientific Linux (freerdp), Slackware (wget), SUSE (bluez, file, firefox, libsndfile, netpbm, thunderbird, and xen), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/784806/ ∗∗∗ FortiSandbox reflected XSS in the file scan component ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-18-024 ∗∗∗ IBM Security Bulletin: Vulnerabilities affect NVIDIA GPU Display Drivers for Linux and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-affec… ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private – CVE-2019-4143 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2018-3139, CVE-2018-3180, CVE-2018-12457, CVE-2019-2426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect for Virtual Environments (CVE-2018-3139, CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib… ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect the IBM Spectrum Protect Backup-Archive Client on Windows and Macintosh (CVE-2018-3139, CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib… ∗∗∗ IBM Security Bulletin: Potential Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2018-1901) affects IBM Security AppScan Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-privilege-e… ∗∗∗ IBM Security Bulletin: Password disclosure via trace file affects IBM Spectrum Protect for Space Management (CVE-2018-1882) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-disclosure-v… ∗∗∗ IBM Security Bulletin: Password disclosure via trace file affects IBM Spectrum Protect Backup-Archive Client and IBM Spectrum Protect for Virtual Environments (CVE-2018-1882) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-password-disclosure-v… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server OpenID Connect affects IBM Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2019
by Daily end-of-shift report 02 Apr '19

02 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Montag 01-04-2019 18:00 − Dienstag 02-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ MXSS: Cross-Site-Scripting in der Google-Suche ∗∗∗ --------------------------------------------- Aufgrund subtiler Unterschiede beim Parsen von HTML-Code gelang es einem Sicherheitsforscher, gängige Filtermechanismen zu umgehen. Betroffen waren zwei Javascript-Bibliotheken und die Google-Suche. --------------------------------------------- https://www.golem.de/news/mxss-cross-site-scripting-in-der-google-suche-190… ∗∗∗ Splitting atoms in XNU ∗∗∗ --------------------------------------------- TL;DR A locking bug in the XNU virtual memory subsystem allowed violation of the preconditions required for the correctness of an optimized virtual memory operation. This was abused to create shared memory where it wasnt expected, allowing the creation of a time-of-check-time-of-use bug where one wouldnt usually exist. This was exploited to cause a heap overflow in XPC, which was used to trigger the execution of a jump-oriented payload which chained [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2019/04/splitting-atoms-in-xnu.html ∗∗∗ Information on open source vulnerabilities is as distributed as the community ∗∗∗ --------------------------------------------- [...] a sizable number of the open source vulnerabilities that we see out there are actually being posted and discussed on a wide range of different security advisories and issue trackers. This means that even for relatively popular projects, these red flags may fly beneath the radar. --------------------------------------------- https://www.alienvault.com/blogs/security-essentials/information-on-open-so… ∗∗∗ Studie: Angreifer lieben PowerShell ∗∗∗ --------------------------------------------- Microsofts Skript-Sprache ist die am meisten genutzte Angriffstechnik, warnt die Sicherheitsfirma Red Canary. Bei vielen Firmen besteht da noch Nachholbedarf. --------------------------------------------- http://heise.de/-4357396 ∗∗∗ Malware Actors Using New File Hosting Service to Launch Attacks ∗∗∗ --------------------------------------------- Bad actors are leveraging a new file hosting service in order to launch attack campaigns involving FormBook and other malware. Near the end of March, researchers at Deep Instinct observed a new FormBook attack. The infection chain for this campaign began with a phishing email that contains a malicious attachment. --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/cyber-s… ∗∗∗ Gefälschte card complete Nachricht zu Kreditkartensperre ∗∗∗ --------------------------------------------- Kriminelle versenden eine erfundene Nachricht im card complete Design. Darin informieren Sie die Empfänger/innen über eine angebliche Sperre des Kreditkartenkontos, die durch Aktualisierung der Daten über einen Link in der E-Mail aufgehoben werden kann. Die Anweisungen dürfen nicht befolgt werden! Andernfalls wird Schadsoftware auf dem Smartphone installiert und die Kreditkartendaten landen bei Verbrecher/innen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-card-complete-nachricht-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Nutzer des Apache-Webservers können Root-Rechte erlangen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Apache-Webserver erlaubt es Nutzern, mit Hilfe von CGI- oder PHP-Skripten Root-Rechte zu erlangen. Ein Update steht bereit. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-nutzer-des-apache-webservers-ko… ∗∗∗ Security Patch: Google beseitigt im April Qualcomm-Sicherheitslücken ∗∗∗ --------------------------------------------- In einer Vorankündigung verweist Google auf ein neues Security Patch Level. Das April-Update schließt viele Lücken und sollte für einige, aber nicht alle aktuellen Android-Geräte erscheinen. Es gibt auch viele Sicherheitslücken, die Qualcomm-basierte Smartphones betreffen. --------------------------------------------- https://www.golem.de/news/security-patch-google-beseitigt-im-april-qualcomm… ∗∗∗ Zero-Day-Lücken in Edge und Internet Explorer – Patches stehen noch aus ∗∗∗ --------------------------------------------- Ein Forscher hat Angriffspunkte für Universal-Cross-Site-Scripting-Attacken in Microsofts Browsern gefunden. Der Konzern scheint desinteressiert. --------------------------------------------- http://heise.de/-4357840 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, libssh2, and thunderbird), Debian (firmware-nonfree, kernel, and libssh2), Fedora (drupal7, flatpak, and mod_auth_mellon), Gentoo (burp, cairo, glusterfs, libical, poppler, subversion, thunderbird, and unbound), openSUSE (yast2-rmt), Red Hat (freerdp), and SUSE (bash, ed, libarchive, ntp, and sqlite3). --------------------------------------------- https://lwn.net/Articles/784665/ ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow which could allow a local malicious user to execute arbitrary code (CVE-2019-4014). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-is-vulnerable… ∗∗∗ IBM Security Bulletin: API Connect is impacted by multiple nodeJS vulnerabilities (CVE-2018-12122 CVE-2018-12121 CVE-2018-12123 CVE-2018-12116) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-is-impact… ∗∗∗ IBM Security Bulletin: IBM API Connect is impacted by multiple open source software vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-im… ∗∗∗ IBM Security Bulletin: IBM® Db2® is vulnerable to a buffer overflow which could allow a local malicious user to execute arbitrary code (CVE-2018-1936). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-is-vulnerable… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by vulnerabilities in OpenSSL (CVE-2018-0735, CVE-2018-0734, CVE-2018-5407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-master… ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect Snapshot for VMware (CVE-2018-3139, CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib… ∗∗∗ IBM Security Bulletin: Vulnerabilities in Rational DOORS Next Generation with potential for cross-site scripting attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ra… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2019
by Daily end-of-shift report 01 Apr '19

01 Apr '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-03-2019 18:00 − Montag 01-04-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mira Ransomware Decryptor ∗∗∗ --------------------------------------------- We investigated some recent Ransomware called Mira (Trojan:W32/Ransomware.AN) in order to check if it's feasible to decrypt the encrypted files. Most often, decryption can be very challenging because of missing keys that are needed for decryption. However, in the case of Mira ransomware, it appends all information required to decrypt an encrypted file into the [...] --------------------------------------------- https://labsblog.f-secure.com/2019/04/01/mira-ransomware-decryptor/ ∗∗∗ Zero-Day-Lücke in Smart-Home-Router SR20 von TP-Link ∗∗∗ --------------------------------------------- Unter gewissen Umständen könnte ein Angreifer Schadcode mit Root-Rechten auf dem TP-Link-Router SR20 ausführen. --------------------------------------------- http://heise.de/-4356942 ∗∗∗ Sicherheitsupdates: Nagios XI für vielfältige Angriffe anfällig ∗∗∗ --------------------------------------------- Die Serverüberwachungssoftware Nagios IX ist über mehrere Sicherheitslücken attackierbar. Abgesicherte Ausgaben sind verfügbar. --------------------------------------------- http://heise.de/-4357207 ∗∗∗ Peculiar PHP Present In Popular Pipdig Power Pack (P3) Plugin ∗∗∗ --------------------------------------------- This week, our team was notified of suspicious code present in a plugin offered alongside themes sold by Pipdig, a UK-based web development team. The user, who wishes to remain anonymous, reached out to us with concerns that the plugin's developer can grant themselves administrative access to sites using the plugin, or even delete affected [...] --------------------------------------------- https://www.wordfence.com/blog/2019/03/peculiar-php-present-in-popular-pipd… ∗∗∗ Hilfreiche Infos zu Finanzbetrug der Finanzmarktaufsicht ∗∗∗ --------------------------------------------- Bei Investments, die hohe Gewinne versprechen, ist Vorsicht geboten. Insbesondere im Bereich Bitcoins und Kryptowährungen kursieren zahlreiche betrügerische Angebote im Netz, bei denen Inverstor/innen ihr eingesetztes Geld verlieren. Die Finanzmarktaufsicht Österreich stellt mit ihrem Finanz ABC nun Hilfreiches rund um Finanzen, Geldanlagen sowie dem Erkennen von Finanzbetrug zur Verfügung. --------------------------------------------- https://www.watchlist-internet.at/news/hilfreiche-infos-zu-finanzbetrug-der… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2019-9193: Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest ∗∗∗ --------------------------------------------- PostgreSQL, commonly known as Postgres is one of the largest and most popular database systems in the world. It is the primary database of Mac OSX but also has Linux and Windows versions available. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2019-91… ∗∗∗ Pydio 8 Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities were found in Pydio 8 (latest version 8.2.2), which allows an attacker with regular user access to the application and by tricking an administrator account to open a shared URL bookmark through the application, to obtain the victims session identifiers in order to impersonate him/her and to perform actions such as create a new user administrator account. --------------------------------------------- https://www.secureauth.com/labs/advisories/pydio-8-multiple-vulnerabilities ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, drupal7, gpsd, libav, libdatetime-timezone-perl, php5, rails, thunderbird, twig, tzdata, and wordpress), Fedora (edk2, flatpak, fuse, ghostscript, gnutls, golang-googlecode-go-crypto, grub2, mxml, poppler, and systemd), Mageia (file, kernel, live, mplayer, vlc, openjpeg2, pdns, and poppler), openSUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, runc, kernel, ovmf, and ucode-intel), SUSE (adcli, sssd, GraphicsMagick, [...] --------------------------------------------- https://lwn.net/Articles/784563/ ∗∗∗ Vuln: Redhat Atomic OpenShift CVE-2019-3884 Spoofing Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/107649 ∗∗∗ Apple Mac OS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0243%20UPDATE%201 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2019-1559 in OpenSSL affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-… ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Liberty affects IBM Watson Compare and Comply on IBM Cloud Private ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is affected by an Information Disclosure vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-inform… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Information Server is affected by an Improper Authentication vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-inform… ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Snapshot for VMware (CVE-2014-7810, CVE-2018-8039) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities have been fixed in IBM Security Privileged Identity Manager Appliance. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: XML External Entity Injection Security Vulnerability Affects IBM Sterling B2B Integrator (CVE-2019-4043) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-xml-external-entity-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2019
by Daily end-of-shift report 29 Mar '19

29 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-03-2019 18:00 − Freitag 29-03-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Schwere Sicherheitslücke in SSL/TLS-Bibliothek axTLS ∗∗∗ --------------------------------------------- Webserver, die die Transportverschlüsselung über axTLS realisieren, sind für Angriffe empfänglich. --------------------------------------------- http://heise.de/-4355704 ∗∗∗ World Backup Day: Is your data in safe hands? ∗∗∗ --------------------------------------------- World Backup Day is a reminder that organizations and individuals need to make data backup and protection a priority --------------------------------------------- https://www.welivesecurity.com/2019/03/29/world-backup-day-data-safe-hands/ ∗∗∗ TLS CBC Padding Oracles in 2019 ∗∗∗ --------------------------------------------- Since August, I've spent countless hours studying CBC padding oracle attacks toward the development of a new scan tool called padcheck. Using this tool, I was able to identify thousands of popular domains which could be targeted by an active network adversary (i.e. MiTM) to hijack authenticated HTTPS sessions. The underlying vulnerabilities break down into [...] --------------------------------------------- https://www.tripwire.com/state-of-security/vert/tls-cbc-padding-oracles/ ∗∗∗ Researchers discover and abuse new undocumented feature in Intel chipsets ∗∗∗ --------------------------------------------- Researchers find new Intel VISA (Visualization of Internal Signals Architecture) debugging technology. --------------------------------------------- https://www.zdnet.com/article/researchers-discover-and-abuse-new-undocument… ∗∗∗ Researchers publish list of MAC addresses targeted in ASUS hack ∗∗∗ --------------------------------------------- Most of the targeted MAC addresses are used by ASUStek, Intel, and AzureWave devices. --------------------------------------------- https://www.zdnet.com/article/researchers-publish-list-of-mac-addresses-tar… ===================== = Vulnerabilities = ===================== ∗∗∗ Rockwell Automation PowerFlex 525 AC Drives ∗∗∗ --------------------------------------------- This advisory includes mitigations for a resource exhaustion vulnerability reported in Rockwell Automations PowerFlex 525 AC drive. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-087-01 ∗∗∗ Magento 2.3.1, 2.2.8 and 2.1.17 Security Update ∗∗∗ --------------------------------------------- Magento Commerce and Open Source 2.3.1, 2.2.8 and 2.1.17 contain multiple security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. --------------------------------------------- https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-securit… ∗∗∗ VMSA-2019-0004 ∗∗∗ --------------------------------------------- VMware vCloud Director for Service Providers update resolves a Remote Session Hijack vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0004.html ∗∗∗ VMSA-2019-0005 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation and Fusion updates address multiple security issues. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0005.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (dovecot and imagemagick), Debian (dovecot, libraw, pdns, and ruby2.1), Fedora (mingw-podofo, openwsman, podofo, qemu, and svgsalamander), openSUSE (chromium, ffmpeg-4, firefox, libssh2_org, nodejs4, and qemu), Red Hat (libssh2), Scientific Linux (libssh2 and thunderbird), SUSE (kernel, liblouis, ntp, openssl-1_1, and tiff), and Ubuntu (firefox, freeimage, libapache2-mod-auth-mellon, and thunderbird). --------------------------------------------- https://lwn.net/Articles/784370/ ∗∗∗ Vuln: Apache HBase CVE-2019-0212 Authorization Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/107624 ∗∗∗ Vuln: Apache ActiveMQ CVE-2019-0222 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/107622 ∗∗∗ GnuTLS: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0253 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by cURL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-… ∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by vulnerabilities in the shipped Node runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-… ∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-… ∗∗∗ IBM Security Bulletin: Rational Build Forge Security Advisory for Apache HTTP Server (CVE-2019-0190; CVE-2018-17189; CVE-2018-17199) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-rational-build-forge-… ∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by Alpine vulnerability CVE-2018-1000849 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-… ∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-… ∗∗∗ IBM Security Bulletin: Security vulnerabilities identified in OpenSSL affect Rational Build Forge (CVE-2018-0734, CVE-2018-5407 and CVE-2019-1559) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-… ∗∗∗ IBM Security Bulletin: IBM Event Streams is affected by gettext vulnerability CVE-2018-18751 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-event-streams-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2019
by Daily end-of-shift report 28 Mar '19

28 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-03-2019 18:00 − Donnerstag 28-03-2019 18:00 Handler: Dimitri Robl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Analysis of LockerGoga Ransomware ∗∗∗ --------------------------------------------- We recently observed a new ransomware variant (which our products detect as Trojan.TR/LockerGoga.qnfzd) circulating in the wild. In this post, we’ll provide some technical details of the new variant’s functionalities, as well as some Indicators of Compromise (IOCs). Overview Compared to other ransomware variants that use Window’s CRT library functions, this new variant relies heavily […] --------------------------------------------- https://labsblog.f-secure.com/2019/03/27/analysis-of-lockergoga-ransomware/ ∗∗∗ [SANS ISC] Running your Own Passive DNS Service ∗∗∗ --------------------------------------------- I published the following diary on isc.sans.edu: “Running your Own Passive DNS Service“: Passive DNS is not new but remains a very interesting component to have in your hunting arsenal. As defined by CIRCL, a passive DNS is “a database storing historical DNS records from various resources. --------------------------------------------- https://blog.rootshell.be/2019/03/28/sans-isc-running-your-own-passive-dns-… ∗∗∗ Unseriöse Installateur- und Elektrodienste erkennen ∗∗∗ --------------------------------------------- Bei Problemen mit verstopften Abflüssen, kaputten Heizungen oder anfälligen Wartungen wenden Sie sich besser nicht an sanitaerhilfe.at oder installateur-top1.at. Es handelt sich um unseriöse Unternehmen, die sich weder an ihre Versprechungen halten noch Schäden beheben. Obendrein wird ein überteuerter Betrag kassiert. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-installateur-und-elektrod… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Botches Fix for RV320, RV325 Routers, Just Blocks curl User Agent ∗∗∗ --------------------------------------------- Ciscos RV320 and RV325 router models for small offices and small businesses remain vulnerable to two high-severity flaws two months after the vendor announced the availability of patches. The fixes failed their purpose and attackers can still chain the bugs to take control of the devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-botches-fix-for-rv320-… ∗∗∗ Multiple "0day" Verwundbarkeiten in HPE Intelligent Management Center ∗∗∗ --------------------------------------------- Die Zero Day Iniative (ZDI) hat heute über mehrere ungepatchte Verwundbarkeiten in HPE Intelligent Management Center berichtet. Es wird empfohlen, Kommunikation mit HPE Intelligent Management Center entsprechend nur von vertrauenswürdigen Geräten aus zu ermöglichen. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-19-294/ https://www.zerodayinitiative.com/advisories/ZDI-19-295/ https://www.zerodayinitiative.com/advisories/ZDI-19-296/ https://www.zerodayinitiative.com/advisories/ZDI-19-297/ https://www.zerodayinitiative.com/advisories/ZDI-19-298/ https://www.zerodayinitiative.com/advisories/ZDI-19-299/ https://www.zerodayinitiative.com/advisories/ZDI-19-300/ https://www.zerodayinitiative.com/advisories/ZDI-19-301/ https://www.zerodayinitiative.com/advisories/ZDI-19-302/ https://www.zerodayinitiative.com/advisories/ZDI-19-303/ ∗∗∗ Apple watchOS 5.2 ∗∗∗ --------------------------------------------- This document describes the security content of watchOS 5.2. --------------------------------------------- https://support.apple.com/kb/HT209602 ∗∗∗ Sicherheitsupdates: Kritische Lücken in Onlineshop-Software Magento ∗∗∗ --------------------------------------------- Viele Magento-Versionen weisen Schlupflöcher für Schadcode auf und gefährden so Onlineshops. Abgesicherte Ausgaben schließen die Schwachstellen. --------------------------------------------- http://heise.de/-4354925 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and wpa), Fedora (firefox and pdns), Gentoo (apache, cabextract, chromium, gd, nasm, sdl2-image, and zeromq), openSUSE (GraphicsMagick and lftp), Red Hat (thunderbird), Scientific Linux (firefox), Slackware (gnutls), and SUSE (ImageMagick). --------------------------------------------- https://lwn.net/Articles/784251/ ∗∗∗ ZDI-19-293: Advantech WebAccess Node tv_enua Improper Access Control Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-293/ ∗∗∗ ZDI-19-292: Advantech WebAccess Node spchapi Improper Access Control Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-292/ ∗∗∗ IBM Security Bulletin: Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench affected by Spring vulnerability (CVE-2018-15756) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-rational-test-control… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by glibc vulnerabilities (CVE-2018-19591) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-8039) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ib… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2018-0732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… ∗∗∗ IBM Security Bulletin: IBM Security Proventia Network Active Bypass is affected by openssl vulnerabilities (CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-proventi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2019
by Daily end-of-shift report 27 Mar '19

27 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-03-2019 18:00 − Mittwoch 27-03-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ UC Browser for Android, Desktop Exposes 500+ Million Users to MiTM Attacks ∗∗∗ --------------------------------------------- The extremely popular UC Browser and UC Browser Mini Android applications with a total of over 600 million installs expose their users to MiTM attacks by downloading and installing extra modules from their own servers using unprotected channels and bypassing Google Plays servers altogether. --------------------------------------------- https://www.bleepingcomputer.com/news/security/uc-browser-for-android-deskt… ∗∗∗ Abuse of hidden "well-known" directory in HTTPS sites ∗∗∗ --------------------------------------------- WordPress and Joomla are among the most popular Content Management Systems (CMSs). They have also become popular for malicious actors, as cybercriminals target sites on these platforms for hacking and injecting malicious content. During the past few weeks, ThreatLabZ researchers have detected several WordPress and Joomla sites that were serving Shade/Troldesh ransomware, backdoors, redirectors, and a variety of phishing pages. --------------------------------------------- https://www.zscaler.com/blogs/research/abuse-hidden-well-known-directory-ht… ∗∗∗ Sicherheitsforscher entdecken 36 neue Sicherheitslücken im LTE-Standard ∗∗∗ --------------------------------------------- Aufgrund von Lücken sollen Angreifer in der Lage sein, Verbindungen im LTE-Netz zu stören oder sogar zu manipulieren. Das geht aber mit viel Aufwand einher. --------------------------------------------- http://heise.de/-4352711 ∗∗∗ What Is Access Control? A Key Component Of Data Security ∗∗∗ --------------------------------------------- Who should be able to access a company's data? Under what circumstances do organisations deny access to a user with access privileges? To adequately protect data, an organisation's access control [...] --------------------------------------------- https://blog.schneider-electric.com/building-management/2019/03/27/what-is-… ∗∗∗ Rechnungen betrügerischer Streaming-Websites nicht bezahlen! ∗∗∗ --------------------------------------------- Die Welle betrügerischer Streaming-Plattformen mit Namen wie nolistream.de, someflix.de, daftstream.de oder savaflix.de reißt nicht ab. Die Websites verfolgen nur ein Ziel: Internetuser/innen zu unberechtigten Zahlungen zu drängen. Durch gefälschte Rechnungen, Mahnungen und Inkassoschreiben sollen Betroffene eingeschüchtert werden. Die geforderten 358,80, 359,88 oder 479,16 Euro dürfen nicht bezahlt werden! --------------------------------------------- https://www.watchlist-internet.at/news/rechnungen-betruegerischer-streaming… ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens SCALANCE X ∗∗∗ --------------------------------------------- This advisory includes mitigations for an expected behavior violation vulnerability reported in the Siemens SCALANCE X products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-085-01 ∗∗∗ ENTTEC Lighting Controllers ∗∗∗ --------------------------------------------- This advisory includes mitigations for a missing authentication for critical function vulnerability reported in ENTTEC’s lighting controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-085-03-0 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-7), Fedora (cfitsio, firefox, librsvg2, and pdns), openSUSE (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (gd, grub2, ImageMagick, kernel, libcaca, libmspack, ntp, ovmf, w3m, and wavpack), and Ubuntu (php7.0, php7.2, qemu, and xmltooling). --------------------------------------------- https://lwn.net/Articles/784114/ ∗∗∗ Cisco Security Advisories ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-71135 https://tools.cisco.com/security/center/psirtrss20/CiscoSecurityAdvisory.xml ∗∗∗ XML vulnerability CVE-2017-9233 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03244804 ∗∗∗ Security Advisory - Improper Authentication Vulnerability in Some Huawei AP Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190327-… ∗∗∗ IBM Security Bulletin: Potential denial of service in WebSphere Application Server Admin Console (CVE-2019-4080) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-denial-of-s… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in Oracle Outside In Technology affect IBM Rational DOORS Next Generation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in xorg-x11-libX11 (CVE-2018-14598 CVE-2018-14599 CVE-2018-14600) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-chass… ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in GNU C Library (CVE-2015-5180 CVE-2017-15670 CVE-2017-15804) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-chass… ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in cURL (CVE-2018-14618 CVE-2018-16840 CVE-2018-16842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-chass… ∗∗∗ IBM Security Bulletin: Content Collector for Email is affected by 3RD PARTY IBM WebSphere Application Server Deserialization ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-content-collector-for… ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in PHP (CVE-2018-17082 CVE-2018-14883 CVE-2018-14851 CVE-2017-9118) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-chass… ∗∗∗ IBM Security Bulletin: Content Collector for Email is affected by 3RD PARTY CSRF and OOB-XXE Vulnerabilities in WebSphere Web Application Server’s Integrated Solutions Console 9.0.0.8, 8.5.5.13, and 8.5.5.9 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-content-collector-for… ∗∗∗ IBM Security Bulletin: IBM Security Identity Manager Virtual Appliance is affected by multiple vulnerabilities (CVE-2017-6464, CVE-2017-6463, CVE-2017-6462, CVE-2015-3331, CVE-2014-2523) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-identity… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Identity Manager Virtual Appliance ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2019
by Daily end-of-shift report 26 Mar '19

26 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Montag 25-03-2019 18:00 − Dienstag 26-03-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken: Abus Alarmanlage kann per Funk ausgeschaltet werden ∗∗∗ --------------------------------------------- Gleich drei Sicherheitslücken erlauben verschiedene Angriffe auf die Funkalarmanlage Secvest von Abus. Ein Sicherheitsupdate gibt es nicht. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-abus-alarmanlage-kann-per-funk… ∗∗∗ Coding Error Could Enable Users to Halt LockerGoga Ransomware ∗∗∗ --------------------------------------------- Users could potentially use a coding error in some variants of LockerGoga to halt the ransomware's encryption routine in its tracks. In its analysis of LockerGoga, Alert Logic Threat Research found that the ransomware performs an initial reconnaissance scan through which it collects file lists once it's infected a machine. The malware may come in [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/coding-… ∗∗∗ Business banking fraud. Keep your eggs in TWO baskets. Here’s why… ∗∗∗ --------------------------------------------- This post has a cautionary tale all about spreading your business banking fraud risk. So, does your business have two bank accounts, with different banks? No? Then you would be well advised to do so, or risk being left unable to trade. WHY? --------------------------------------------- https://www.pentestpartners.com/security-blog/business-banking-fraud-keep-y… ∗∗∗ Amazon Phishing-Mails mit betrügerischem Inhalt ∗∗∗ --------------------------------------------- Unzählige Internetnutzer/innen finden momentan gefälschte Amazon-Mails im Posteingang. Sie werden darin informiert, dass das Amazon-Konto vorläufig deaktiviert wurde. Um es wieder freizuschalten, sollen die Empfänger/innen ihre Daten über den angegeben Link verifizieren. Der Aufforderung darf nicht gefolgt werden! Die eingegebenen Daten gelangen in die Hände Krimineller und das Amazon-Konto wurde nie gesperrt. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-phishing-mails-mit-betruegeri… ===================== = Vulnerabilities = ===================== ∗∗∗ Betriebssysteme und iTunes: Apple schließt viele Sicherheitslücken ∗∗∗ --------------------------------------------- Mit der Veröffentlichung von iOS 12.2, Mojave 10.14.4 sowie der neuen iTunes-Version für Windows schließt Apple zahlreiche Sicherheitslücken. Einige davon sind kritisch, da sie Angriffe mit Kernelprivilegien oder hohen Rechten ermöglichen. --------------------------------------------- https://www.golem.de/news/betriebssysteme-und-itunes-apple-schliesst-viele-… ∗∗∗ ASUS Releases Security Update for Live Update Software ∗∗∗ --------------------------------------------- ASUS has released Live Update version 3.6.8. This version addresses vulnerabilities that a remote attacker could exploit to take control of an affected system. These vulnerabilities were detected in exploits in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ASUS article for more information. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2019/03/26/ASUS-Releases-Secu… ∗∗∗ rt-sa-2019-007 ∗∗∗ --------------------------------------------- Code Execution via Insecure Shell Function getopt_simple --------------------------------------------- https://www.redteam-pentesting.de/advisories/rt-sa-2019-007.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (ghostscript), Debian (libssh2 and wireshark), openSUSE (aubio, blueman, and kauth), Red Hat (kernel-rt and openwsman), Scientific Linux (openwsman), Slackware (mozilla), and SUSE (ovmf and ucode-intel). --------------------------------------------- https://lwn.net/Articles/784031/ ∗∗∗ Synology-SA-19:13 Drupal ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to inject arbitrary web script or HTML via a susceptible version of Drupal. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_13 ∗∗∗ IBM Security Bulletin: Incorrect permissions on restored files and directories using IBM Spectrum Protect Backup-Archive Client web user interface on Windows (CVE-2019-4093) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-incorrect-permissions… ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by OpenSSL vulnerabilities (CVE-2018-0732 and CVE-2018-0739) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-appliance-is-a… ∗∗∗ IBM Security Bulletin: Vulnerability CVE-2018-14647 in Python affects IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-cve-201… ∗∗∗ IBM Security Bulletin: Apache Axis as used in IBM QRadar SIEM is vulnerable to a possible man in the middle attack. (CVE-2012-5784) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-apache-axis-as-used-i… ∗∗∗ Binutils vulnerabilities CVE-2018-20002 and CVE-2018-20657 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K62602089 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0240 ∗∗∗ Red Hat Enterprise Linux: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0244 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2019
by Daily end-of-shift report 25 Mar '19

25 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-03-2019 18:00 − Montag 25-03-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers ∗∗∗ --------------------------------------------- The Taiwan-based tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the companys server and used it to push the malware to machines. --------------------------------------------- https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-sof… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, libssh2, and powerdns), Debian (bash, firefox-esr, libapache2-mod-auth-mellon, ntfs-3g, openssh, passenger, rsync, and wireshark), Fedora (filezilla, libarchive, libssh2, mxml, php-twig, php-twig2, qemu, and tcpreplay), Slackware (mozilla), SUSE (ghostscript, kernel, libgxps, libjpeg-turbo, libqt5-qtimageformats, libqt5-qtsvg, openstack-cinder, openstack-horizon-plugin-designate-ui, openstack-neutron, openstack-neutron-lbaas, [...] --------------------------------------------- https://lwn.net/Articles/783953/ ∗∗∗ PHOENIX CONTACT command injection on RAD-80211-XD(/HP-BUS) ∗∗∗ --------------------------------------------- A WebHMI utility may be exploited by any logged in user allowing the execution of arbitrary OS commands on the server. This provides the opportunity for a command injection attack. --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-007 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational ClearCase (CVE-2018-0734, CVE-2018-5407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2018-0734, CVE-2018-5407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A security vulnerability in IBM Java Runtime affects IBM Rational ClearQuest (CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational ClearCase (CVE-2018-3180, CVE-2018-3139) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ GNU C Library vulnerability CVE-2009-5155 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K64119434 ∗∗∗ xpdf: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0236 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2019
by Daily end-of-shift report 22 Mar '19

22 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-03-2019 18:00 − Freitag 22-03-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Analysis of SeroMiner Trojan, combine multiple anti-analytic techniques ∗∗∗ --------------------------------------------- Foreword Recently, 360 security brain intercepted a mining Trojan 'SeroMiner'. The Trojan behavior is too concealed to be discovered its mining behavior from the security [...] --------------------------------------------- https://blog.360totalsecurity.com/en/analysis-of-serominer-trojan-combine-m… ∗∗∗ SigSpoof 4: Bypassing signature verification in Yarn package manager (CVE-2018-12556) ∗∗∗ --------------------------------------------- This attack on GnuPG signature verification is specific to yarn, thepackage manager. It can give a powerful attacker the ability toreplace the Yarn installation with arbitrary code. There areadditional protections in place, so if you are using Yarn, youprobably do not need to worry too much about it. --------------------------------------------- https://neopg.io/blog/yarn-signature-bypass/ ∗∗∗ Over 100,000 GitHub repos have leaked API or cryptographic keys ∗∗∗ --------------------------------------------- Thousands of new API or cryptographic keys leak via GitHub projects every day. --------------------------------------------- https://www.zdnet.com/article/over-100000-github-repos-have-leaked-api-or-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox), Debian (cron and ntfs-3g), Fedora (firefox, ghostscript, libzip, python2-django1.11, PyYAML, tcpflow, and xen), Mageia (ansible, firefox, and ImageMagick/GraphicsMagick), Red Hat (ghostscript), Scientific Linux (firefox and ghostscript), SUSE (libxml2, unzip, and wireshark), and Ubuntu (firefox, ghostscript, libsolv, ntfs-3g, p7zip, and snapd). --------------------------------------------- https://lwn.net/Articles/783757/ ∗∗∗ IBM Security Bulletin: Potential denial of service vulnerability in WebSphere Application Server (CVE-2019-4046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-denial-of-s… ∗∗∗ IBM Security Bulletin: Potential denial of service in Liberty for Java for IBM Cloud (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-denial-of-s… ∗∗∗ ICMP PMTU messages are forwarded to the server side when the TCP proxy-mss setting is enabled in the associated profile ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52510343 ∗∗∗ The BIG-IP SMTPS virtual server may fail to properly restrict I/O buffering, allowing attackers to insert commands into encrypted SMTP sessions ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23284054 ∗∗∗ BIG-IP SNMPD vulnerability CVE-2019-6608 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12139752 ∗∗∗ REST Framework vulnerability CVE-2019-6602 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11818407 ∗∗∗ BIG-IP snmpd vulnerability CVE-2019-6606 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35209601 ∗∗∗ TMM vulnerability CVE-2019-6603 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14632915 ∗∗∗ When authentication is set to require, the Client SSL or Server SSL profile does not report an error when it has an associated invalid CRL ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15732489 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2019
by Daily end-of-shift report 21 Mar '19

21 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-03-2019 18:00 − Donnerstag 21-03-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mac-Focused Malvertising Campaign Abuses Google Firebase DBs ∗∗∗ --------------------------------------------- Researchers said 1 million user sessions could have been exposed to the campaign, which downloads the Shlayer trojan. --------------------------------------------- https://threatpost.com/mac-focused-malvertising-campaign-abuses-google-fire… ∗∗∗ Kritische Lücken im Git-Client Sourcetree gefährden Computer ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Sourcetree von Atlassian. MacOS- und Windows-Nutzer sollten die abgesicherten Ausgaben zügig installieren. --------------------------------------------- http://heise.de/-4341489 ∗∗∗ D-Link wappnet ältere NAS-Systeme gegen Erpressungstrojaner Cr1ptTor ∗∗∗ --------------------------------------------- D-Link hat Sicherheitsupdates für NAS-Systeme angekündigt. Bis zur Veröffentlichung sollten sie nicht online sein. Für einige Geräte gibt es schon Patches. --------------------------------------------- http://heise.de/-4341586 ∗∗∗ Ransomware or Wiper? LockerGoga Straddles the Line ∗∗∗ --------------------------------------------- Executive SummaryRansomware attacks have been in the news with increased frequency over the past few years. This type of malware can be extremely disruptive and even cause operational impacts in critical systems that may be infected. LockerGoga is yet another example of this sort of malware. It is a ransomware variant that, while lacking in sophistication, can still cause extensive damage when leveraged against organizations or individuals. --------------------------------------------- https://blog.talosintelligence.com/2019/03/lockergoga.html ∗∗∗ Many Vulnerabilities Found in Oracles Java Card Technology ∗∗∗ --------------------------------------------- Poland-based cybersecurity research firm Security Explorations claims to have identified nearly 20 vulnerabilities in Oracle’s Java Card, including flaws that could be exploited to compromise the security of chips using this technology. --------------------------------------------- https://www.securityweek.com/many-vulnerabilities-found-oracles-java-card-t… ∗∗∗ Remote command injection through an endpoint security product ∗∗∗ --------------------------------------------- TL;DR? We discovered command injection in a popular endpoint security product, Heimdal Thor. By using the product, customers PCs were exposed to compromise. Irony++ Heimdal fixed the issue quickly and responded well, but it appears that the vulnerability had been present in ~650,000 PCs for around one year! Heimdal blogged about it today, but er... [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/remote-command-injection-thro… ∗∗∗ Gefälschte Apple-Rechnungen im Umlauf ∗∗∗ --------------------------------------------- Internetnutzer/innen finden vermehrt gefälschte Apple-Rechnungen in ihrem E-Mail-Postfach. Angeblich wurde etwas im App-Store per Kreditkartenzahlung gekauft. Für weitere Details werden Empfänger/innen aufgefordert, einem Link zu folgen oder eine Datei herunterzuladen. Folgen Sie nicht dem Link oder laden Anhänge herunter, denn es handelt sich um einen Phishing-Versuch! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-apple-rechnungen-im-umla… ∗∗∗ Zero-day in WordPress SMTP plugin abused by two hacker groups ∗∗∗ --------------------------------------------- Hacker groups are creating backdoor admin accounts on vulnerable sites and redirecting users to tech support scams. --------------------------------------------- https://www.zdnet.com/article/zero-day-in-wordpress-smtp-plugin-abused-by-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Medtronic Conexus Radio Frequency Telemetry Protocol ∗∗∗ --------------------------------------------- This medical advisory includes mitigations for improper access control and cleartext transmission of sensitive information vulnerabilities reported in Medtronics proprietary Conexus telemetry system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-19-080-01 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2019-004 ∗∗∗ --------------------------------------------- Project: Drupal coreDate: 2019-March-20Security risk: Moderately critical 13∕25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: Under certain circumstances the File module/subsystem allows a malicious user to upload a file that can trigger a cross-site scripting (XSS) vulnerability.Solution: If you are using Drupal 8.6, update to Drupal 8.6.13.If you are using Drupal 8.5 or earlier, update to Drupal 8.5.14.If you are using Drupal 7, [...] --------------------------------------------- https://www.drupal.org/sa-core-2019-004 ∗∗∗ RESTful - Critical - Remote code execution - SA-CONTRIB-2019-041 ∗∗∗ --------------------------------------------- Project: RESTfulVersion: 7.x-2.x-dev7.x-1.x-devDate: 2019-March-20Security risk: Critical 18∕25 AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Remote code executionDescription: This resolves issues described in SA-CORE-2019-003 for this module.Solution: If you use the RESTful module for Drupal 7.x, upgrade to RESTful 7.x-1.10 or RESTful 7.x-2.17 [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2019-041 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7, firefox-esr, and openjdk-8), Fedora (ghostscript, python2-django1.11, and SDL), Red Hat (firefox), Scientific Linux (firefox), SUSE (nodejs4 and openssl-1_1), and Ubuntu (gdk-pixbuf). --------------------------------------------- https://lwn.net/Articles/783652/ ∗∗∗ IBM Security Bulletin: Vulnerability in Python affects IBM OS Images for Red Hat Linux Systems ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-pyth… ∗∗∗ IBM Security Bulletin: API Connect V2018 is impacted by information leak (CVE-2019-4052) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-v2018-is-… ∗∗∗ IBM Security Bulletin: IBM Content Navigator is affected by a spoofing vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-content-navigator… ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerabilities in OpenSSH (CVE-2018-15473 CVE-2018-15919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-chass… ∗∗∗ IBM Security Bulletin: IBM Flex System Chassis Management Module (CMM) is affected by vulnerability in NTP (CVE-2018-12327) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-flex-system-chass… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2019
by Daily end-of-shift report 20 Mar '19

20 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-03-2019 18:00 − Mittwoch 20-03-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Videos für mehr Cyber-Sicherheit: BSI startet YouTube-Kanal ∗∗∗ --------------------------------------------- Ab sofort ist das BSI auch bei der Videoplattform YouTube zu finden. Unter dem Namen "Bundesamt für Sicherheit in der Informationstechnik" finden Interessierte zunächst Tipps und Hinweise für Privatanwender sowie spannende Karriereinformationen oder Neuigkeiten über das BSI. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/Youtube-200319.ht… https://www.youtube.com/channel/UC_VgLyJQsChxKfDJcdI-Tcg ∗∗∗ SilkETW: Because Free Telemetry is...Free! ∗∗∗ --------------------------------------------- In the following example, we will collect process event data from the Kernel provider and use image loads to identify Mimikatz execution. We can collect the required data with this command: SilkETW.exe -t kernel -kk ImageLoad -ot file -p C:\Users\b33f\Desktop\mimikatz.json With data in hand it is easy to sort, grep and filter for the properties we are interested in (Figure 2). --------------------------------------------- http://www.fireeye.com/blog/threat-research/2019/03/silketw-because-free-te… ∗∗∗ Fake-Shop btckraken.de stielt Daten und liefert nicht! ∗∗∗ --------------------------------------------- Die Suche nach günstiger Technik führt manche Konsument/innen zu btckraken.de. Aus angeblichen Sicherheitsgründen werden bei einer Bestellung Ausweisdokumente verlangt. Eine Zahlung erfolgt vorab. Hier darf nicht bestellt werden: Es handelt sich um schweren Identitätsdiebstahl für weitere Verbrechen unter fremden Namen und die Waren werden nie geliefert! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-btckrakende-stielt-daten-u… ∗∗∗ Ransomware is not dead - a light analysis of LockerGoga ∗∗∗ --------------------------------------------- Despite many reports saying that the number of Ransomware samples is on the decrease, we see again and again big multinational companies suffering from these attacks.Just two days ago, Norway based Norsk Hydro - one of the Worlds largest Aluminium producers - was hit by a severe Ransomware attack: [...] --------------------------------------------- http://blog.joesecurity.org/2019/03/ransomware-is-not-dead-light-analysis.h… ∗∗∗ Severe security bug found in popular PHP library for creating PDF files ∗∗∗ --------------------------------------------- Vulnerability patched last year, but many websites and web apps will most likely remain vulnerable for years. --------------------------------------------- https://www.zdnet.com/article/severe-security-bug-found-in-popular-php-libr… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IP Phone 7800 Series and 8800 Series Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (libelf and wordpress), CentOS (cloud-init, cockpit, openssl, and tomcat), Gentoo (openssh), openSUSE (ovmf), Scientific Linux (cloud-init), and SUSE (go1.11, ldb, lftp, libssh2_org, and openwsman). --------------------------------------------- https://lwn.net/Articles/783566/ ∗∗∗ Security Advisory - Digital Signature Verification Bypass Vulnerability in Some Huawei Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190320-… ∗∗∗ Security Advisory - Signature Verification Bypass Vulnerability in Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190320-… ∗∗∗ OpenSSL vulnerability CVE-2019-1559 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18549143 ∗∗∗ HPESBST03915 rev.1 - HPE CVAE products, and Hitachi Infrastructure Analytics Advisor(HIAA) using JDK, Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ IBM Security Bulletin: Cloudant Local Apache CouchDB CVE-2018-17188: Remote Privilege Escalations ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cloudant-local-apache… ∗∗∗ IBM Security Bulletin: This Power System update is being released to address CVE 2018-1992 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-this-power-system-upd… ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM SDK, Java Technology Edition Quarterly CPU – Oct 2018 – Includes Oracle Oct 2018 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-ib… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Security Directory Integrator (CVE-2018-2800, CVE-2018-2783) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerabilities in deserialization of openid connect cookie ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-de… ∗∗∗ IBM Security Bulletin: Vulnerability in Apache CXF ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-apac… ∗∗∗ IBM Security Bulletin: Vulnerabilities in WAS traditional and liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-wa… ∗∗∗ IBM Security Bulletin: Vulnerability in IBM SDK, Java Technology Edition Quarterly CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-ibm-… ∗∗∗ IBM Security Bulletin: Vulnerabilities in 3RD PARTY XSS in IBM WebSphere CacheMonitor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-3r… ∗∗∗ IBM Security Bulletin: Publicly Disclosed Vulnerability Found By vFinder (CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2018-12536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-publicly-disclosed-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2019
by Daily end-of-shift report 19 Mar '19

19 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Montag 18-03-2019 18:00 − Dienstag 19-03-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Assessing Internal Network with JavaScript, Despite Same-Origin Policy ∗∗∗ --------------------------------------------- Researchers are warning about a hacking technique that enables attacks on the local network using JavaScript on a public website. Using the victims browser as a proxy, the code can reach internal hosts and do reconnaissance activity or even compromise vulnerable services. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/assessing-internal-network-w… ∗∗∗ Business Email Compromise (BEC) Attacks Moving to Mobile ∗∗∗ --------------------------------------------- As text messaging has become a common form of communication within a business, Business Email Compromise (BEC) scammers have started to go mobile by utilizing SMS messaging to direct their targets. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/business-email-compromise-be… ∗∗∗ Monsters in the Middleboxes: Introducing Two New Tools for Detecting HTTPS Interception ∗∗∗ --------------------------------------------- The practice of HTTPS interception continues to be commonplace on the Internet. This blog post discusses types of monster-in-the-middle devices and software, and how to detect them. --------------------------------------------- https://blog.cloudflare.com/monsters-in-the-middleboxes/ ∗∗∗ What Is a Credential Stuffing Attack and How to Protect Yourself from One ∗∗∗ --------------------------------------------- You probably heard of at least one credential stuffing attack lately, as major companies become targets of this new hacking technique. Credential stuffing is not actually new as part of hackers’ repertoire, but lately, the method started being employed more often. I’ll explain the reasons for this surge in popularity down below. Did you notice […]The post What Is a Credential Stuffing Attack and How to Protect Yourself from One appeared first on Heimdal Security Blog. --------------------------------------------- https://heimdalsecurity.com/blog/credential-stuffing-attack-protection/ ∗∗∗ Protecting Against Social Engineering Attacks ∗∗∗ --------------------------------------------- Most people think of hacking as using malware and coding to bypass security defenses and steal data or money. Social engineers take a different approach, targeting the human instead of the software to achieve their goals. How Social Engineering Works Social engineers take advantage of knowledge of human behavior to perform their attacks. A person’s […]The post Protecting Against Social Engineering Attacks appeared first on InfoSec Resources.Protecting Against Social Engineering --------------------------------------------- https://resources.infosecinstitute.com/protecting-against-social-engineerin… ∗∗∗ Vulnerability hunting with Semmle QL, part 2 ∗∗∗ --------------------------------------------- The first part of this series introduced Semmle QL, and how the Microsoft Security Response Center (MSRC) are using it to investigate variants of vulnerabilities reported to us. This post discusses an example of how we’ve been using it proactively, covering a security audit of an Azure firmware component. This was part of a wider... --------------------------------------------- https://blogs.technet.microsoft.com/srd/2019/03/19/vulnerability-hunting-wi… ∗∗∗ Arbitrary Directory Deletion in WP-Fastest-Cache ∗∗∗ --------------------------------------------- The WP-Fastest-Cache plugin authors released a new update, version 0.8.9.1, fixing a vulnerability (CVE-2019-6726) present during its install alongside the WP-PostRatings plugin. According to seclists.org: “A successful attack allows an unauthenticated attacker to specify a path to a directory from which files and directories will be deleted recursively. The vulnerable code path extracts the path portion of the referrer header and then uses string concatenation to build an absolute path. --------------------------------------------- http://feedproxy.google.com/~r/sucuri/blog/~3/dJRlgHKTUzY/arbitrary-directo… ∗∗∗ Discovering a zero day and getting code execution on Mozillas AWS Network ∗∗∗ --------------------------------------------- [...] Although basic authentication can be enabled by modifying the settings.ini file, and is recommended to prevent any anonymous access. Most deployments of WebPageTest that Assetnote CS identifies are unauthenticated, and the array of testing tools provided by WebPageTest can be used offensively to gain access to internal resources by server-side request forgery (commonly known as SSRF, but for WebPageTest, it is a feature). --------------------------------------------- https://blog.assetnote.io/bug-bounty/2019/03/19/rce-on-mozilla-zero-day-web… ∗∗∗ BGP Hijacking is a RIPE Policy Violation ∗∗∗ --------------------------------------------- This proposal aims to clarify that BGP hijacking is not accepted as normal practice within the RIPE NCC service region, primarily because it negates the core purpose of running a (Regional Internet) Registry. The proposal is not concerned with simple operational mistakes - it is intended to address deliberate BGP hijacking events. --------------------------------------------- https://www.ripe.net/participate/policies/proposals/2019-03 ∗∗∗ Thunderclap ∗∗∗ --------------------------------------------- Vor kurzer Zeit produzierte das O.MG Kabel Schlagzeilen. In dieses harmlos wirkende USB-Kabel ist eine versteckte Hardware eingebaut, die sich beim Anschließen gegenüber dem Betriebssystem als Eingabegerät ausgibt und einem Angreifer die Fernsteuerung eines Rechners über WLAN ermöglicht. Jetzt haben Sicherheitsforscher nach einer zwei Jahre dauernden Zusammenarbeit des Department of Computer Science and Technology at the University of Cambridge, der Rice University und [...] --------------------------------------------- https://www.dfn-cert.de/aktuell/Thunderclap.html ===================== = Vulnerabilities = ===================== ∗∗∗ AVEVA InduSoft Web Studio and InTouch Edge HMI ∗∗∗ --------------------------------------------- This advisory includes mitigations for an uncontrolled search path element vulnerability in AVEVAs InduSoft Web Studio and InTouch Edge human machine interface software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-078-01 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (libjpeg-turbo, liblivemedia, neutron, and otrs2), Fedora (SDL), Gentoo (ntp), openSUSE (java-1_8_0-openjdk), Red Hat (cloud-init), Slackware (libssh2), SUSE (libssh2_org, nodejs10, and nodejs8), and Ubuntu (tiff). --------------------------------------------- https://lwn.net/Articles/783473/ ∗∗∗ Synology-SA-19:12 Calendar ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to execute arbitrary commands via a susceptible version of Calendar. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_19_12 ∗∗∗ IBM Security Bulletin: This Power System update is being released to address CVE-2018-5391 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-this-power-system-upd… ∗∗∗ IBM Security Bulletin: This Power System update is being released to address CVE-2018-12384 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-this-power-system-upd… ∗∗∗ ENDRESS+HAUSER WIFI enabled products utilising WPA2 ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-005 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2019
by Daily end-of-shift report 18 Mar '19

18 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-03-2019 18:00 − Montag 18-03-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RFC8482 - Saying goodbye to ANY ∗∗∗ --------------------------------------------- Ladies and gentlemen, I would like you to welcome the new shiny RFC8482, which effectively deprecates DNS ANY query type. DNS ANY was a "meta-query" - think about it as a similar thing to the common A, AAAA, MX or SRV query types, but unlike these it wasnt a real query type - it was special. --------------------------------------------- https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/ ∗∗∗ Secure Coding — Top 15 Code Analysis Tools ∗∗∗ --------------------------------------------- Keeping code secure is a top objective for any software company. And to ensure secure coding, you need to perform code analysis during the development life cycle. While manual review of code was once the only option, now there are plenty of tools that can take care of this in an automated fashion. --------------------------------------------- https://resources.infosecinstitute.com/secure-coding-top-15-code-analysis-t… ∗∗∗ Lenovo Patches Intel Firmware Flaws in Multiple Product Lines ∗∗∗ --------------------------------------------- Lenovo has issued patches for several serious vulnerabilities in its products stemming from Intel technology fixes. --------------------------------------------- https://threatpost.com/lenovo-patches-high-severity-arbitrary-code-executio… ∗∗∗ Cryptojacking of businesses' cloud resources still going strong ∗∗∗ --------------------------------------------- In the past year or so, many cybercriminals have turned to cryptojacking as an easier and more low-key approach for "earning" money. While the value of cryptocurrencies like Bitcoin and Monero has been declining for a while now and Coinhive, the most popular in-browser mining service, has stopped working, cryptojacking is still a considerable threat. After all, attackers need to expand very little effort and are using someone else's resources for free. --------------------------------------------- https://www.helpnetsecurity.com/2019/03/18/cryptojacking-cloud-resources/ ∗∗∗ IPv6 unmasking via UPnP ∗∗∗ --------------------------------------------- With tools such as ZMap and Masscan and general higher bandwidth availability, exhaustive internet-wide scans of full IPv4 address space have become the norm after it was once impractical. Projects like Shodan and Scans.io aggregate and publish frequently updated datasets of scan results for public analysis, giving researchers greater insight into the current state of the internet. While IPv4 is the norm, the use of IPv6 [...] --------------------------------------------- https://blog.talosintelligence.com/2019/03/ipv6-unmasking-via-upnp.html ∗∗∗ Gefälschte CIA-Mails fordern Bitcoins wegen Kinderpornografie ∗∗∗ --------------------------------------------- Internetnutzer/innen erhalten gefälschte Nachrichten der CIA mit dem Betreff „Central Intelligence Agency – Case #12345678“. In der Nachricht wird behauptet, dass die Empfänger/innen im Rahmen von Ermittlungen gegen Kinderpornografie als Verdächtige aufscheinen. Um eine Verhaftung zu verhindern, sollen 10,000 Dollar in Bitcoins an die Absender/innen überwiesen werden. Der Inhalt der Nachrichten ist frei erfunden und die Zahlungen dürfen nicht [...] --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-cia-mails-fordern-bitcoi… ∗∗∗ New Mirai Variant Targets Enterprise Wireless Presentation & Display Systems ∗∗∗ --------------------------------------------- Unit 42 has discovered a new Mirai variant that targets business video display systems. It uses additional exploits, boosts the number of credentials for brute-force attacks and hosts payload on the compromised website of a Colombian security firm. --------------------------------------------- https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wi… ∗∗∗ Microsoft releases Application Guard extension for Chrome and Firefox ∗∗∗ --------------------------------------------- Extensions only available for Windows Insiders for now. To work for everyone once Windows 10 19H1 is live. --------------------------------------------- https://www.zdnet.com/article/microsoft-releases-application-guard-extensio… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Funktastatur nimmt Befehle von Angreifern entgegen ∗∗∗ --------------------------------------------- Die Verschlüsselung der kabellosen Fujitsu-Tastatur LX901 lässt sich von Angreifern auf gleich zwei Arten umgehen - und für Angriffe aus der Distanz nutzen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-funktastatur-nimmt-befehle-von-… ∗∗∗ SSH-Software: Kritische Sicherheitslücken in Putty ∗∗∗ --------------------------------------------- In der SSH-Software Putty sind im Rahmen eines von der EU finanzierten Bug-Bounty-Programms mehrere schwerwiegende Sicherheitslücken entdeckt worden. Der verwundbare Code wird auch von anderen Projekten wie Filezilla und WinSCP verwendet. --------------------------------------------- https://www.golem.de/news/ssh-software-kritische-sicherheitsluecken-in-putt… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ikiwiki, liblivemedia, linux-4.9, rdflib, and sqlalchemy), Fedora (advancecomp, kubernetes, mingw-poppler, and php), Mageia (ikiwiki), openSUSE (chromium, file, and sssd), Red Hat (ansible, openstack-ceilometer, and openstack-octavia), Scientific Linux (kernel), SUSE (galera-3, mariadb, mariadb-connector-c, java-1_8_0-ibm, kernel, nodejs10, openwsman, wireshark, and yast2-rmt), and Ubuntu (file, linux, linux-aws, linux-kvm, linux-raspi2, [...] --------------------------------------------- https://lwn.net/Articles/783370/ ∗∗∗ [webapps] Intel Modular Server System 10.18 - Cross-Site Request Forgery (Change Admin Password) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/46541 ∗∗∗ Security Advisory - Double Free Vulnerability on Bastet Module of Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190220-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect Watson Explorer and IBM Watson Content Analytics (CVE-2018-2579, CVE-2018-2588, CVE-2018-2602, CVE-2018-2603, CVE-2018-2633) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2019
by Daily end-of-shift report 15 Mar '19

15 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-03-2019 18:00 − Freitag 15-03-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Threatlist: IMAP-Based Attacks Compromising Accounts at ‘Unprecedented Scale’ ∗∗∗ --------------------------------------------- Attackers are increasingly targeting insecure legacy protocols, like IMAP, to avoid running into multi-factor authentication in password-spraying campaigns. --------------------------------------------- https://threatpost.com/imap-attacks-compromise-accounts/142824/ ∗∗∗ DNS Tunneling: how DNS can be (ab)used by malicious actors ∗∗∗ --------------------------------------------- DNS is a critical foundation of the Internet that makes it possible to get to websites without entering numerical IP addresses. The power that makes DNS beneficial for everyone also creates potential for abuse. Unit 42 researchers explain how attackers can abuse DNS to hide their tracks and steal data using a technique known as "DNS Tunneling". This research can help organizations understand DNS-based threats and the risks they pose to their environment. --------------------------------------------- https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2019-0804 | Azure Linux Agent Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- An information disclosure vulnerability exists in the way Azure WaLinuxAgent creates swap files on resource disks. An authenticated attacker who successfully exploited this vulnerability could view data in swap that is normally hidden. --------------------------------------------- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019… ∗∗∗ VMSA-2019-0003 ∗∗∗ --------------------------------------------- VMware Horizon update addresses Connection Server information disclosure vulnerability. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0003.html ∗∗∗ VMSA-2019-0002 ∗∗∗ --------------------------------------------- VMware Workstation update addresses elevation of privilege issues. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2019-0002.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mingw-poppler and php), Mageia (apache, gnome-keyring, gnupg2, hiawatha, and rsyslog), openSUSE (libcomps and obs-service-tar_scm), and Ubuntu (libvirt and linux-lts-trusty). --------------------------------------------- https://lwn.net/Articles/783140/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2018-1890, CVE-2018-12547) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio and IBM CPLEX Enterprise Server (CVE-2018-1890, CVE-2018-12547, CVE-2019-2426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM MQ Console has inadequate input validation (CVE-2018-1836) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-console-has-in… ∗∗∗ HPESBNS03910 rev.1 - HPE NonStop SafeGuard, Local Disclosure of Sensitive Information ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ HPESBST03911 rev.1 - HPE Command View AE (CVAE) Products, multiple vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2019
by Daily end-of-shift report 14 Mar '19

14 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-03-2019 18:00 − Donnerstag 14-03-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Schadcode per Wordpress-Kommentar ∗∗∗ --------------------------------------------- Gleich mehrere Sicherheitslücken kombinierte ein Sicherheitsforscher, um Schadcode in Wordpress ausführen zu können. Die Wordpress-Standardeinstellungen und ein angemeldeter Administrator reichten als Voraussetzung. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-schadcode-per-wordpress-komment… ∗∗∗ GlitchPOS Malware Appears to Steal Credit-Card Numbers ∗∗∗ --------------------------------------------- A new malware targeting point of sale systems, GlitchPOS, has been spotted on a crimeware forum. --------------------------------------------- https://threatpost.com/glitchpos-malware-credit-card/142804/ ∗∗∗ Further attack surface of Wordpress PHAR injection ∗∗∗ --------------------------------------------- In August 2018, Sam Thomas presented a new vulnerability of Wordpress at Black Hat USA 2018. The PHP object injection vulnerability is not new, but the way attacker can trigger this error is worth mentioning. In this article, I will go over the detail of this exploit and inspect further impact of this vulnerability to the Wordpress community. A list of more than 300 Wordpress plugins that could be used to exploit this bug is also included. --------------------------------------------- https://blog.cystack.net/wordpress-phar/ ∗∗∗ Jetzt updaten: Cisco patcht gegen eine von zwei Remote-Attacken ∗∗∗ --------------------------------------------- Zwei Cisco-Produkte sind aus der Ferne angreifbar. Updates gibt es aber wohl nur für Common Services Platform Collector – das IP-Telefon SPA514G ist zu alt. --------------------------------------------- http://heise.de/-4335459 ∗∗∗ Viele Intel-Rechner brauchen wieder BIOS-Updates ∗∗∗ --------------------------------------------- Gleich 17 neue Firmware-Sicherheitslücken meldet Intel, die sich allerdings auf mehrere Systeme verteilen und nur lokal am Rechner nutzbar sind. --------------------------------------------- http://heise.de/-4335118 ∗∗∗ Multiple Security Flaws Discovered in Visitor Management Systems ∗∗∗ --------------------------------------------- Vulnerabilities discovered by IBM security researchers in five different visitor management systems could be abused for data exfiltration or for access to the underlying machines. --------------------------------------------- https://www.securityweek.com/multiple-security-flaws-discovered-visitor-man… ∗∗∗ Netflix-Phishing-Mail im Umlauf ∗∗∗ --------------------------------------------- Netflix Nutzer/innen aufgepasst: Momentan sind wieder Phishing-Mails im Umlauf. Betrüger/innen fordern Sie im Namen von Netflix auf, Ihre Kontoinformationen zu überprüfen. Klicken Sie auf den Button in der E-Mail, werden Sie auf eine betrügerische Seite weitergeleitet. Folgen Sie den Anweisungen, erspähen Kriminelle Ihre Zugangs- und Kreditkartendaten. --------------------------------------------- https://www.watchlist-internet.at/news/netflix-phishing-mail-im-umlauf/ ∗∗∗ Magecart Isn't Just a Security Problem; It's Also a Business Problem ∗∗∗ --------------------------------------------- Magecart is more than just a security problem—it's also a business problem. When threat actors breached British Airways in September resulting in the compromise of thousands of customers’ credit cards, the world got a look at what the fallout of a modern security breach looks like. Immediately afterward, a law firm launched a £500 million[...] --------------------------------------------- https://www.riskiq.com/blog/external-threat-management/magecart-business-pr… ∗∗∗ New BitLocker attack puts laptops storing sensitive data at risk ∗∗∗ --------------------------------------------- New Zealand security researcher details never-before-seen attack for recovering BitLocker keys. --------------------------------------------- https://www.zdnet.com/article/new-bitlocker-attack-puts-laptops-storing-sen… ===================== = Vulnerabilities = ===================== ∗∗∗ Gemalto Sentinel UltraPro ∗∗∗ --------------------------------------------- This advisory includes mitigations for an uncontrolled search path element in Gemaltos Sentinel UltraPro encryption keys. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-073-02 ∗∗∗ PEPPERL+FUCHS WirelessHART-Gateways ∗∗∗ --------------------------------------------- This advisory includes mitigations for a path traversal vulnerability in PEPPERL+FUCHS WirelessHART-Gateways network products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-073-03 ∗∗∗ Video - Critical - Remote Code Execution - SA-CONTRIB-2019-037 ∗∗∗ --------------------------------------------- Project: Video Date: 2019-March-13 Security risk: Critical 19∕25 AC:None/A:Admin/CI:All/II:All/E:Theoretical/TD:All Vulnerability: Remote Code Execution Description: This module provides a field where editors can add videos to their content and this module offers functionality to transcode these videos to different sizes and formats.The module doesnt sufficiently sanitize some user input on administrative forms. --------------------------------------------- https://www.drupal.org/sa-contrib-2019-037 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium), Debian (libsdl1.2 and libsdl2), Fedora (firefox), Gentoo (bind, glibc, openssl, oracle-jdk-bin, webkit-gtk, and xrootd), Mageia (kernel), openSUSE (freerdp, mariadb, and obs-service-tar_scm), Oracle (openssl), Red Hat (kernel, kernel-rt, openstack-ceilometer, openstack-octavia, and tomcat), Scientific Linux (cockpit, openssl, and tomcat), and SUSE (java-1_7_1-ibm and mariadb). --------------------------------------------- https://lwn.net/Articles/783046/ ∗∗∗ BlackBerry powered by Android Security Bulletin - March 2019 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Ruby on Rails: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0221 ∗∗∗ IBM Security Bulletin: IBM® Db2® is vulnerable to privilege escalation via loading libraries from an untrusted path (CVE-2019-4094). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-db2-is-vulnerable… ∗∗∗ IBM Security Bulletin: Security vulnerability in the IBM HTTP Server (CVE-2018-17199) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud Transformation Advisor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (CVE-2018-3180, CVE-2018-3139) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2019
by Daily end-of-shift report 13 Mar '19

13 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-03-2019 18:00 − Mittwoch 13-03-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zertifizierungsstellen: Millionen TLS-Zertifikate mit fehlendem Zufallsbit ∗∗∗ --------------------------------------------- Viele TLS-Zertifikate wurden nicht nach den geltenden Regeln ausgestellt. Sie müssten eine zufällige 64-Bit-Seriennummer haben, es sind aber real nur 63 Bit. Ein Risiko ist praktisch nicht vorhanden, trotzdem müssen die Zertifikate zurückgezogen werden. --------------------------------------------- https://www.golem.de/news/zertifizierungsstellen-millionen-tls-zertifikate-… ∗∗∗ E-Learnings Digitale Sicherheit ∗∗∗ --------------------------------------------- Informationssicherheit hat für die Stadt Wien einen sehr hohen Stellenwert. Deshalb wurde ein aus sechs Modulen aufgebauter Kompakt-Kurs entwickelt, der den bewussten Umgang mit dem Thema Informationssicherheit in verschiedenen Lebenssituationen ermöglicht. [...] Am Ende kann man das erlangte Wissen bei einem kurzen Quiz überprüfen. --------------------------------------------- https://digitales.wien.gv.at/site/storyboard-e-learning/ ∗∗∗ Augen auf beim Online-Gebrauchtwagenkauf ∗∗∗ --------------------------------------------- Konsument/innen, die im Internet nach Gebrauchtwagen suchen, müssen sich vor folgender Betrugsmasche in Acht nehmen: Laut Verkaufsanzeigen befindet sich das Auto in Österreich. Später wird behauptet, dass es mittlerweile im Ausland ist und daher keine Besichtigung möglich ist. Bezahlung und Lieferung sollen versichert über erfundene Transport- und Zahlungsdienstleister erfolgen. Überwiesene Beträge sind verloren und die kommen nie an. --------------------------------------------- https://www.watchlist-internet.at/news/augen-auf-beim-online-gebrauchtwagen… ∗∗∗ Neue PGP-Keys ∗∗∗ --------------------------------------------- Nachdem unsere "alten" PGP-Keys nahe ihres Ablaufdatums sind, haben wir einen Satz neue Keys generiert. Diese sind wie üblich über den CERT.at PGP keyring verfügbar. --------------------------------------------- http://www.cert.at/services/blog/20190313150627-2400.html ===================== = Vulnerabilities = ===================== ∗∗∗ BSRT 2019 -001 Vulnerability in Management System Impacts BlackBerry AtHoc ∗∗∗ --------------------------------------------- This advisory addresses an XML External Entity Injection (XXE) vulnerability in the Management System (console) of affected versions of BlackBerry AtHoc that could potentially allow a successful attacker to read arbitrary local files from the application server or make requests on the network. BlackBerry is not aware of any exploitation of this vulnerability. --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ WordPress 5.1.1 Security and Maintenance Release ∗∗∗ --------------------------------------------- WordPress 5.1.1 is now available! This security and maintenance release introduces 10 fixes and enhancements, including changes designed to help hosts prepare users for the minimum PHP version bump coming in 5.2. --------------------------------------------- https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance… ∗∗∗ Microsoft March 2019 Patch Tuesday ∗∗∗ --------------------------------------------- This month we got patches for 64 vulnerabilities. Two of them have been exploited and four have been made public before today. Both exploited vulnerabilities (CVE-2019-0808 and CVE-2019-0797) affects win32k component on multiple Windows versions, from Windows 7 to 2019, and may lead to privilege escalation. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. --------------------------------------------- https://isc.sans.edu/forums/diary/Microsoft+March+2019+Patch+Tuesday/24742/ ∗∗∗ March 2019 Office Update Release ∗∗∗ --------------------------------------------- The March 2019 Public Update releases for Office are now available! This month, there are 6 security updates and 28 non-security updates. All of the security and non-security updates are listed in KB article 4491754. A new version of Office 2013 Click-To-Run is available: 15.0.5119.1000 A new version of Office 2010 Click-To-Run is available: 14.0.7230.5000 --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2019/03/12… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsndfile, systemd, waagent, and xmltooling), Fedora (guacamole-server, postgresql-jdbc, and xen), Oracle (cockpit and kernel), Red Hat (cockpit, docker, kernel-alt, and openssl), SUSE (ceph, java-1_7_0-ibm, java-1_7_1-ibm, openssl-1_0_0, python-azure-agent, python-numpy, and supportutils), and Ubuntu (kernel, php5, and walinuxagent). --------------------------------------------- https://lwn.net/Articles/782926/ ∗∗∗ Vuln: Wibu Systems WibuKey DRM Multiple Input Validation Vulnerabilities ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/107005 ∗∗∗ Cisco Common Services Platform Collector Static Credential Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business SPA514G IP Phones SIP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ ZDI: Hewlett Packard Enterprise Intelligent Management Center Vulnerabilities ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-271/ http://www.zerodayinitiative.com/advisories/ZDI-19-270/ http://www.zerodayinitiative.com/advisories/ZDI-19-269/ http://www.zerodayinitiative.com/advisories/ZDI-19-268/ http://www.zerodayinitiative.com/advisories/ZDI-19-267/ http://www.zerodayinitiative.com/advisories/ZDI-19-266/ http://www.zerodayinitiative.com/advisories/ZDI-19-265/ http://www.zerodayinitiative.com/advisories/ZDI-19-264/ http://www.zerodayinitiative.com/advisories/ZDI-19-263/ http://www.zerodayinitiative.com/advisories/ZDI-19-262/ http://www.zerodayinitiative.com/advisories/ZDI-19-261/ http://www.zerodayinitiative.com/advisories/ZDI-19-260/ http://www.zerodayinitiative.com/advisories/ZDI-19-259/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2019
by Daily end-of-shift report 12 Mar '19

12 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Montag 11-03-2019 18:00 − Dienstag 12-03-2019 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Serverbetreiber könnte Schweizer Onlinewahlen manipulieren ∗∗∗ --------------------------------------------- Eine schwere Sicherheitslücke im Onlinewahl-Code der Schweizer Post ermöglicht es dem Betreiber einer Wahl, das Ergebnis zu manipulieren. Die Schweizer Post weiß angeblich schon seit 2017 von dem Problem, der Hersteller hat es jedoch versäumt, den Fehler zu beheben. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-serverbetreiber-koennte-schweiz… ∗∗∗ Unpatched Windows Bug Allows Attackers to Spoof Security Dialog Boxes ∗∗∗ --------------------------------------------- Microsoft wont be patching the bug, but a proof of concept shows the potential for successful malware implantation. --------------------------------------------- https://threatpost.com/windows-bug-spoof-dialog-boxes/142711/ ∗∗∗ Identitätsdiebstahl durch Stellenangebote auf ebay Kleinanzeigen ∗∗∗ --------------------------------------------- Wer auf ebay Kleinanzeigen oder ähnlichen Portalen nach Jobs sucht, muss sich vor betrügerischen Angeboten in Acht nehmen. Gute Bezahlung und Arbeit von zu Hause locken zahlreiche Interessent/innen an. So geschehen auch bei der angeblichen CEBIT GmbH: Jobsuchende, die sich hier bewerben und die geforderten Unterlagen versenden, werden Opfer eines Identitätsdiebstahls und eröffnen im Extremfall Bankkonten im eigenen Namen, die später missbraucht werden. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-durch-stellenan… ∗∗∗ WordPress shopping sites under attack ∗∗∗ --------------------------------------------- Hackers using cross-site scripting (XSS) flaw in abandoned cart plugin to take over vulnerable sites. --------------------------------------------- https://www.zdnet.com/article/wordpress-shopping-sites-under-attack/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Digital Editions (APSB19-16) and Adobe Photoshop CC (APSB19-15). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the bulletin. This posting is provided "AS IS" with no warranties [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1724 ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- New: SSA-557804: Mirror Port Isolation Vulnerability in SCALANCE X switches Updated: SSA-168644: Spectre and Meltdown Vulnerabilities in Industrial Products SSA-170881: Vulnerabilities in SINUMERIK Controllers SSA-203306: Password Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Relay Families SSA-254686: Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products SSA-346262: Denial-of-Service in Industrial Products SSA-348629: Denial-of-Service Vulnerability in SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional and SIMATIC NET PC Software SSA-584286: Denial-of-Service Vulnerability in SIMATIC S7-1200 CPU and SIMATIC S7-1500 CPU SSA-824231: Unauthenticated Firmware Upload Vulnerability in Desigo PX Controllers SSB-439005: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html ∗∗∗ SAP Security Patch Day - March 2019 ∗∗∗ --------------------------------------------- On 12th of March 2019, SAP Security Patch Day saw the release of 9 Security Notes. Additionally, there were 3 updates to previously released security notes. We would like to inform that the vulnerability fixed by security note 2764283 is expected to be presented by a researcher at a security conference in March 2019. Therefore, we recommend our Customers to apply the SAP Security Note on priority. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=515408080 ∗∗∗ BIG-IP Configuration utility vulnerability CVE-2019-6598 ∗∗∗ --------------------------------------------- BIG-IP Configuration utility vulnerability CVE-2019-6598 Security Advisory Security Advisory Description Malformed requests to the Traffic Management User Interface (TMUI), also referred to as the [...] --------------------------------------------- https://support.f5.com/csp/article/K44603900 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (pacman), CentOS (java-1.7.0-openjdk), Debian (zabbix), Fedora (kernel-headers), openSUSE (libcomps), Oracle (kernel), Red Hat (chromium-browser), SUSE (ovmf and qemu), and Ubuntu (tiff). --------------------------------------------- https://lwn.net/Articles/782842/ ∗∗∗ [20190301] - Core - XSS in com_config JSON handler ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/JvJtucwH0Xs/772-20190301-c… ∗∗∗ [20190304] - Core - Missing ACL check in sample data plugins ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/yevVdAyNRRI/775-20190304-c… ∗∗∗ [20190303] - Core - XSS in media form field ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/-7y5ceiY85g/774-20190303-c… ∗∗∗ [20190302] - Core - XSS in item_title layout ∗∗∗ --------------------------------------------- http://feeds.joomla.org/~r/JoomlaSecurityNews/~3/uD680RYCbkk/773-20190302-c… ∗∗∗ IBM Security Bulletin: IBM Content Navigator is affected by a code execution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-content-navigator… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities affect IBM Cloud Private Storage – GlusterFS and Minio ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private Kiali Istio addon ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private Certificate Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: Vulnerability in Kerberos affects Power Hardware Management Console ( CVE-2018-5730 CVE-2018-5729) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-kerb… ∗∗∗ IBM Security Bulletin: Vulnerability in GnuTLS affects Power Hardware Management Console ( CVE-2018-10845 CVE-2018-10844) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-gnut… ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSL affects Power Hardware Management Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-open… ∗∗∗ IBM Security Bulletin: Multiple security vulnerabilities affect Rational Engineering Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple Cross-site scripting vulnerabilities affect IBM® Rational® Team Concert ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-cross-site-s… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Rational® Quality Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2019
by Daily end-of-shift report 11 Mar '19

11 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-03-2019 18:00 − Montag 11-03-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ E-Mail-Marketing: Datenbank mit 800 Millionen E-Mail-Adressen online ∗∗∗ --------------------------------------------- Wozu sammelt ein völlig unbekanntes Unternehmen Hunderte Millionen E-Mail-Adressen und weitere Nutzerdaten? Dahinter steckt eine Dienstleistung, die für Spammer nützlich ist. --------------------------------------------- https://www.golem.de/news/e-mail-marketing-datenbank-mit-800-millionen-e-ma… ∗∗∗ Free decrypters for BigBobRoss ransomware released ∗∗∗ --------------------------------------------- Here’s some good news for users whose files have been encrypted by the BigBobRoss ransomware: both Avast and Emsisoft have released decrypters. How do you know that you've been hit with BigBobRoss? The ransomware gets its name from the email address included in the ransom note, which comes in a file named Read Me.txt. Another indication that the user's files have been encrypted by this particular malware is the .obfuscated extension added to the encrypted [...] --------------------------------------------- https://www.helpnetsecurity.com/2019/03/11/decrypt-bigbobross-ransomware/ ∗∗∗ A quick lesson in confirmation bias ∗∗∗ --------------------------------------------- In my experience, hacking investigations are driven by ignorance and confirmation bias. We regularly see things we cannot explain. We respond by coming up with a story where our pet theory explains it. Since there is no alternative explanation, this then becomes evidence of our theory, where this otherwise inexplicable thing becomes proof.For example, take that "Trump-AlfaBank" theory. One of the oddities noted by researchers is lookups for [...] --------------------------------------------- https://blog.erratasec.com/2019/03/a-quick-lesson-in-confirmation-bias.html ∗∗∗ Vorsicht vor überteuerten Einreisegenehmigungen und E-Visa ∗∗∗ --------------------------------------------- Momentan stecken viele Konsument/innen mitten in der Planung ihrer nächsten Reise. Bei einigen Urlaubszielen, beispielsweise den USA, Kanada, der Türkei oder Ägypten, ist die Beantragung eines E-Visums oder einer Einreisegenehmigung vorab notwendig. Hierbei ist Vorsicht geboten, denn neben den offiziellen behördlichen Websites sind auch zahlreiche Dienstleister im Internet zu finden, die für die gleiche Leistung stark überhöhte Gebühren verrechnen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-ueberteuerten-einreiseg… ∗∗∗ The Hitchhiker's Guide To Initial Access ∗∗∗ --------------------------------------------- Abusing Bias - Part 2 --------------------------------------------- https://posts.specterops.io/the-hitchhikers-guide-to-initial-access-57b66aa… ===================== = Vulnerabilities = ===================== ∗∗∗ NREL BEopt 2.8.0 Insecure Library Loading Arbitrary Code Execution ∗∗∗ --------------------------------------------- BEopt suffers from a DLL Hijacking issue. The vulnerability is caused due to the application loading libraries (sdl2.dll and libegl.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a related application file .BEopt located on a remote WebDAV or SMB share. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5513.php ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (polkit), Debian (chromium, openjpeg2, php7.0, poppler, and symfony), Fedora (evolution, kernel, and kernel-headers), Gentoo (curl, firefox, keepalived, rdesktop, systemd, tar, wget, and zsh), openSUSE (gdm and hiawatha), Slackware (ntp), SUSE (audit, containerd, docker, docker-runc, golang-github-docker-libnetwork, runc, file, java-1_8_0-openjdk, mariadb, openssl-1_0_0, and sssd), and Ubuntu (poppler). --------------------------------------------- https://lwn.net/Articles/782780/ ∗∗∗ Vuln: NTP CVE-2019-8936 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/107337 ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private Metering ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities have been identified in FasterXML Jackson library shipped with IBM Tivoli Netcool/OMNIbus Common Integration Libraries (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-1000873) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private Service Catalog ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ glibc vulnerability CVE-2016-10739 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35040315 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2019
by Daily end-of-shift report 08 Mar '19

08 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-03-2019 18:00 − Freitag 08-03-2019 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Serious Security: When randomness isn’t – and why it matters ∗∗∗ --------------------------------------------- The password ji32k7au4a83 looks pretty random and feels as though it should be unique - read this article to find out why its neither! --------------------------------------------- https://nakedsecurity.sophos.com/2019/03/08/serious-security-when-randomnes… ∗∗∗ Google warnt vor Zero-Day-Lücke in Windows 7 ∗∗∗ --------------------------------------------- Angreifer nutzten eine Kombination aus Lücken in Chrome und Windows 7, um Rechner mit Spionage-Software zu infizieren. Nur eine von beiden ist geschlossen. --------------------------------------------- http://heise.de/-4329796 ∗∗∗ Jetzt updaten: Kritische Lücke in Apache Solr ∗∗∗ --------------------------------------------- Einige Versionen der Open-Source-Suchplattform Solr weisen ein mögliches Einfallstor für entfernte Angreifer auf. Updates sind verfügbar. --------------------------------------------- http://heise.de/-4329895 ∗∗∗ From Fake Updates to Unwanted Redirects ∗∗∗ --------------------------------------------- At the end of February, we wrote about a massive wave of site infections that pushed fake browser updates. In the beginning of March, the attack evolved into redirecting site visitors to sketchy ad URLs. --------------------------------------------- http://labs.sucuri.net/?note=2019-03-08 ∗∗∗ Smart unhackable car alarms open the doors of 3 million vehicles to hackers ∗∗∗ --------------------------------------------- The moment you call a product "unhackable" you are asking for trouble. --------------------------------------------- https://www.zdnet.com/article/smart-car-alarms-opened-the-doors-of-3-millio… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Advisory 2019-02: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- March 08, 2019 — Please read carefully and check if the version of your OTRS system is affected by this vulnerability. --------------------------------------------- https://community.otrs.com/security-advisory-2019-02-security-update-for-ot… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (php-typo3-phar-stream-wrapper2), Mageia (gnutls, nagios, openssl, and python-gnupg), openSUSE (apache2, ceph, chromium, openssh, and webkit2gtk3), and Ubuntu (nvidia-graphics-drivers-390). --------------------------------------------- https://lwn.net/Articles/782653/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects WebSphere Application Server January 2019 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Vulnerabilities identified in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio (CVE-2018-12547 and CVE-2019-2426) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-ident… ∗∗∗ IBM Security Bulletin: FileNet CMIS (FNCMIS) leveraging Spring Framework is vulnerable to a denial of service caused by improper handling of range request by the ResourceHttpRequestHandler ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-filenet-cmis-fncmis-l… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities affect IBM Cloud Private Vulnerability Advisor Kafka and Notification Dispatcher ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities affect IBM Cloud Private MongoDB ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities affect IBM Cloud Private Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: Security Vulnerabilities affect IBM Cloud Private Logging ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-security-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM MQ could allow a local user to inject code that could be executed with root privileges. (CVE-2018-1998) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-could-allow-a-… ∗∗∗ IBM Security Bulletin: IBM MQ is vulnerable to a privilege escalation attack when using multiplexed channels (CVE-2018-1974) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-mq-is-vulnerable-… ∗∗∗ IBM Security Bulletin: Multiple buffer overflow vulnerabilities exist in IBM® Db2® leading to privilege escalation (CVE-2018-1922, CVE-2018-1923, CVE-2018-1978, CVE-2018-1980, CVE-2019-4015, CVE-2019-4016). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-buffer-overf… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2019
by Daily end-of-shift report 07 Mar '19

07 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-03-2019 18:00 − Donnerstag 07-03-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet: Eine Übersicht über die Schadsoftware ∗∗∗ --------------------------------------------- Emotet ist bereits 2014 entdeckt worden, unterscheidet sich allerdings in vielen Facetten von anderer Schadsoftware. An dieser Stelle fassen wir die Facetten und Eigenschaften zusammen, die diese Schadsoftware so besonders macht und geben eine kurze Übersicht, wie man sich schützen kann. --------------------------------------------- https://www.dfn-cert.de/aktuell/emotet-beschreibung.html ∗∗∗ Financial Cyberthreats in 2018 ∗∗∗ --------------------------------------------- The presented report continues the series of Kaspersky Lab reports that provide an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-based and Android-based financial malware. --------------------------------------------- https://securelist.com/financial-cyberthreats-in-2018/89788/ ∗∗∗ Keine Schnäppchen bei cws-elektro.com ∗∗∗ --------------------------------------------- Bei cws-elektro.com finden Konsument/innen jegliche Elektroartikel zu teils günstigeren Preisen als bei anderen Händler/innen. Der Online-Shop ist jedoch nicht seriös. Berichten zufolge bleibt eine Lieferung aus. Sie verlieren Ihr Geld. --------------------------------------------- https://www.watchlist-internet.at/news/keine-schnaeppchen-bei-cws-elektroco… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-19-257: (0Day) Advantech WebAccess Node Product Installation File Access Control Modification Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on vulnerable installations of Advantech WebAccess Node. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-257/ ∗∗∗ Weak Configuration File Encryption in AVAYA One-X communicator ∗∗∗ --------------------------------------------- SEC Consult found a vulnerability within the encryption process used for configuration files of the Avaya One-X communicator. Being able to encrypt arbitrary plaintext by abusing the client, it was possible to decrypt sensitive passwords stored in configuration files. --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/weak-configuration-file-encr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by openSUSE (amavisd-new, apache2, and containerd, docker, docker-runc,), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), and Ubuntu (linux, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux-hwe, linux-azure, and php5, php7.0). --------------------------------------------- https://lwn.net/Articles/782572/ ∗∗∗ xpdf: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Mit Xpdf können PDF-Dokumente betrachtet werden. Dieser PDF-Betrachter ist zudem auch für Microsoft Windows verfügbar. Ein lokaler Angreifer kann mehrere Schwachstellen in xpdf ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K19-0193 ∗∗∗ Cisco NX-OS Software NX-API Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: IBM Cloud Kubernetes Service is affected by a Denial of Service vulnerability in Kubernetes API server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-kubernetes-… ∗∗∗ IBM Security Bulletin: API Connect is affected by an information disclosure vulnerability in the consumer API (CVE-2018-2009) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-api-connect-is-affect… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java™ Technology Edition affect IBM Operational Decision Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM Security Guardium is affected by Red Hat kernel vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-guardium… ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Apache Tomcat Publicly disclosed vulnerability (CVE-2018-11784) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vu… ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to Publicly disclosed Samba vulnerabilities (CVE-2018-10858, CVE-2018-1139) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vu… ∗∗∗ IBM Security Bulletin: IBM Lotus Protector for Mail Security has released fixes in response to the public disclosed vulnerability for PHP (CVE-2018-19518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-lotus-protector-f… ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to publicly disclosed vulnerability from GNU glibc (CVE-2018-11237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vu… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affects Optim Data Growth, Test Data Management and Application Retirement ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2019
by Daily end-of-shift report 06 Mar '19

06 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-03-2019 18:00 − Mittwoch 06-03-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FIRST releases DDoS mitigation training course ∗∗∗ --------------------------------------------- The Forum of Incident Response and Security Teams (FIRST), which brings together incident responders from around the world, invested in the creation of a new training course “DDoS Mitigation Fundamentals”. Authored by Krassimir T. Tzvetanov, a recognized expert in the field, the training teaches incident responders to handle attacks and securing their organisations. --------------------------------------------- https://www.first.org/newsroom/releases/20190305 ∗∗∗ Sicherheitsupdate: Chrome-Schwachstelle wird aktiv genutzt ∗∗∗ --------------------------------------------- Google hat in Chrome eine Sicherheitslücke behoben, die offenbar bereits aktiv ausgenutzt wird. Details gibt es bislang wenige, aber alle Nutzer von Chrome und dessen Derivaten sollten schnellstmöglich ihren Browser aktualisieren. (Chrome, Google) --------------------------------------------- https://www.golem.de/news/sicherheitsupdate-chrome-schwachstelle-wird-aktiv… ∗∗∗ Spotlight on Troldesh ransomware, aka ‘Shade’ ∗∗∗ --------------------------------------------- Troldesh is ransomware that relies heavily on user interaction. Nevertheless, a recent spike in detections shows its been successful against businesses in the first few months of 2019.Categories: MalwareThreat analysisTags: decryptordecryptorsransom.troldeshransomwareransomware remediationshadethreat spotlightTroldesh(Read more...)The post Spotlight on Troldesh ransomware, aka ‘Shade’ appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2019/03/spotlight-troldesh-ra… ∗∗∗ Phishing-Versuch durch gefälschte Bawag-Sicherheits-App ∗∗∗ --------------------------------------------- Zahlreiche Konsument/innen melden eine gefälschte Bawag P.S.K. Mail an uns. Kriminelle versuchen darin, potenzielle Opfer zur Installation einer vermeintlichen Sicherheits-App zu bewegen. Die Applikation darf nicht installiert werden, denn ansonsten gelangen die Kriminellen an die Online-Banking-Daten Ihrer Opfer und es kann zu großen finanziellen Schäden kommen. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-versuch-durch-gefaelschte-b… ===================== = Vulnerabilities = ===================== ∗∗∗ Vuln: SAP NetWeaver J2EE Engine CVE-2018-17861 Cross Site Scripting Vulnerability ∗∗∗ --------------------------------------------- Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. SAP NetWeaver J2EE Engine 7.01 is vulnerable; other versions may also be affected. --------------------------------------------- http://www.securityfocus.com/bid/107269 ∗∗∗ Vuln: NetApp SnapCenter CVE-2017-15515 Cross Site Scripting Vulnerability ∗∗∗ --------------------------------------------- Remote attackers can exploit this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, gain sensitive information, cause denial-of-service conditions and launch other attacks. NetApp SnapCenter prior to 4.0 is vulnerable. --------------------------------------------- http://www.securityfocus.com/bid/107272 ∗∗∗ Vuln: Apache Mesos CVE-2018-11793 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- Successfully exploiting this issue allows remote attackers to crash the affected application, denying service to legitimate users. Apache Mesos version 1.4.0 through 1.7.0 are vulnerable; other versions may also be affected. --------------------------------------------- http://www.securityfocus.com/bid/107281 ∗∗∗ Default Privileged Account Vulnerability in the NetApp Service Processor (CVE-2019-5490) ∗∗∗ --------------------------------------------- Certain versions of the NetApp Service Processor firmware were shipped with a default account enabled that could allow unauthorized arbitrary command execution. --------------------------------------------- https://security.netapp.com/advisory/ntap-20190305-0001/ ∗∗∗ OpenSSL Security Advisory: ChaCha20-Poly1305 with long nonces (CVE-2019-1543) ∗∗∗ --------------------------------------------- Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. --------------------------------------------- https://www.openssl.org/news/secadv/20190306.txt ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.7.0-openjdk and java-11-openjdk), Debian (mumble and sox), Fedora (drupal7, drupal7-link, firefox, gpsd, ignition, ming, php-erusev-parsedown, and php-Smarty), openSUSE (hiawatha, python, and supportutils), Oracle (java-1.7.0-openjdk), Red Hat (java-1.7.0-openjdk), Scientific Linux (java-1.7.0-openjdk), and Ubuntu (linux, linux-aws, linux-gcp, linux-kvm, linux-oem, linux-oracle, linux-raspi2 and linux-hwe, linux-aws-hwe, linux-azure, --------------------------------------------- https://lwn.net/Articles/782462/ ∗∗∗ Rockwell Automation Patches Critical DoS/RCE Flaw in RSLinx Software ∗∗∗ --------------------------------------------- Patches released by Rockwell Automation for its RSLinx Classic software address a critical vulnerability that can be exploited for denial-of-service (DoS) attacks and possibly for remote code execution. --------------------------------------------- https://www.securityweek.com/rockwell-automation-patches-critical-dosrce-fl… ∗∗∗ PEPPERL+FUCHS Path traversal in WirelessHART Gateway ∗∗∗ --------------------------------------------- https://cert.vde.com/de-de/advisories/vde-2019-002 ∗∗∗ Cisco Nexus 9000 Series Fabric Switches Application-Centric Infrastructure Mode Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Nexus 9000 Series Switches Standalone NX-OS Mode Tetration Analytics Agent Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FXOS and NX-OS Lightweight Directory Access Protocol Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Image Signature Verification Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Bash Shell Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Nexus 9000 Series Switches Standalone NX-OS Mode Fibre Channel over Ethernet NPV Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Netstack Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Unauthorized Filesystem Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Cisco Fabric Services Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability (CVE-2019-1613) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability (CVE-2019-1612) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FXOS and NX-OS Software CLI Command Injection Vulnerability (CVE-2019-1611) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability (CVE-2019-1610) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability (CVE-2019-1609) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability (CVE-2019-1608) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability (CVE-2019-1607) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability (CVE-2019-1606) ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software NX-API Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software 802.1X Extensible Authentication Protocol over LAN Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software Bash Shell Role-Based Access Control Bypass Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco NX-OS Software NX-API Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Nexus 5600 and 6000 Series Switches Fibre Channel over Ethernet Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Action Recommended to Secure the Cisco Nexus PowerOn Auto Provisioning Feature ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Center Access Contract Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Enterprise Chat and Email Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Application Policy Infrastructure Controller IPv6 Link-Local Address Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Nexus 9000 Series Fabric Switches Application Centric Infrastructure Mode Shell Escape Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Nexus 9000 Series Fabric Switches Application-Centric Infrastructure Mode Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FXOS and NX-OS Software Unauthorized Directory Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server January 2019 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: IBM API Connect Developer Portal is affected by arbitrary PHP code execution vulnerability in Drupal (CVE-2019-6340) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-devel… ∗∗∗ IBM Security Bulletin: IBM API Connect is affected by a critical vulnerability in Kubernetes via runc (CVE-2019-5736) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-af… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Transformation Advisor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM QRadar SIEM is vulnerable to publicly disclosed vulnerabilities from OpenSSL (CVE-2018-0739, CVE-2018-0732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-qradar-siem-is-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2019
by Daily end-of-shift report 05 Mar '19

05 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Montag 04-03-2019 18:00 − Dienstag 05-03-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes ∗∗∗ --------------------------------------------- The flaw allows attackers to hide exploits in weaponized Word documents in a way that won’t trigger most antivirus solutions, the researchers said. In a recent spam campaign observed by Mimecast, attached Word attachments contained a hidden exploit for an older vulnerability in Microsoft Equation Editor (CVE-2017-11882). --------------------------------------------- https://threatpost.com/zero-day-exploit-microsoft/142327/ ∗∗∗ SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability ∗∗∗ --------------------------------------------- Leakage ... is visible in all Intel generations starting from 1st-gen Intel Core CPUs Further demonstrating the computational risks of looking into the future, boffins have found another way to abuse speculative execution in Intel CPUs to leak secrets and other data from running applications.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2019/03/05/spoiler_int… ∗∗∗ Keine Alibis und Urkundenfälschungen auf dokumenten-guru.de bestellen! ∗∗∗ --------------------------------------------- Auf dokumenten-guru.de finden Konsument/innen ein höchst zwielichtiges Angebot. Gegen Zahlung per Vorkasse werden gefälschte Alibis, Scheinrechnungen, Dokumente sowie die Fälschung von Zeugnissen und Zertifikaten angeboten. Die Dienste sollten auf keinen Fall in Anspruch genommen werden, denn während Lieferungen Erfahrungsberichten zufolge ohnedies ausbleiben, machen sich Konsument/innen durch die Nutzung gefälschter Urkunden und Zeugnisse strafbar! --------------------------------------------- https://www.watchlist-internet.at/news/keine-alibis-und-urkundenfaelschunge… ∗∗∗ Keine Dienste von installateur-24.info nutzen ∗∗∗ --------------------------------------------- Bei der Google-Suche nach Installateursunternehmen stoßen Konsument/innen auf installateur-24.info. Die Betreiber/innen der Seite werben mit einem rund um die Uhr Notservice, fairen Preisen und viel Erfahrung. Wer die Dienste in Anspruch nimmt, wird böse überrascht, denn die Preise fallen extrem hoch aus und die erbrachten Leistungen lassen zu wünschen übrig. --------------------------------------------- https://www.watchlist-internet.at/news/keine-dienste-von-installateur-24inf… ===================== = Vulnerabilities = ===================== ∗∗∗ Android Security Bulletin - March 2019 ∗∗∗ --------------------------------------------- [...] The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. --------------------------------------------- https://source.android.com/security/bulletin/2019-03-01.html ∗∗∗ VMSA-2018-0023 ∗∗∗ --------------------------------------------- The AirWatch Agent for iOS devices contains a data protection vulnerability whereby the files and keychain entries in the Agent are not encrypted. The VMware Content Locker for iOS devices contains a data protection vulnerability in the SQLite database. This vulnerability relates to unencrypted filenames and associated metadata in SQLite database for the Content Locker. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0023.html ∗∗∗ Xen XSA-294 ∗∗∗ --------------------------------------------- Malicious 64bit PV guests may be able to cause a host crash (Denial of Service). Additionally, vulnerable configurations are unstable even in the absence of an attack. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-294.html ∗∗∗ Xen XSA-293 ∗∗∗ --------------------------------------------- A malicious unprivileged guest userspace process can escalate its privilege to that of other userspace processes in the same guest, and potentially thereby to that of the guest operating system. Additionally, some guest software which attempts to use this CPU feature may trigger the bug accidentally, leading to crashes or corruption of other processes in the same guest. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-293.html ∗∗∗ Xen XSA-292 ∗∗∗ --------------------------------------------- Malicious PV guests may be able to cause a host crash (Denial of Service) or to gain access to data pertaining to other guests. Privilege escalation opportunities cannot be ruled out. Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-292.html ∗∗∗ Xen XSA-291 ∗∗∗ --------------------------------------------- Malicious or buggy x86 PV guest kernels can mount a Denial of Service (DoS) attack affecting the whole system. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-291.html ∗∗∗ Xen XSA-290 ∗∗∗ --------------------------------------------- Malicious or buggy x86 PV guest kernels can mount a Denial of Service (DoS) attack affecting the whole system. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-290.html ∗∗∗ Xen XSA-288 ∗∗∗ --------------------------------------------- An untrusted PV domain with access to a physical device can DMA into its own pagetables, leading to privilege escalation. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-288.html ∗∗∗ Xen XSA-287 ∗∗∗ --------------------------------------------- A single PV guest can leak arbitrary amounts of memory, leading to a denial of service. A cooperating pair of PV and HVM/PVH guests can get a writable pagetable entry, leading to information disclosure or privilege escalation. Privilege escalation attacks using only a single PV guest or a pair of PV guests have not been ruled out. Note that both of these attacks require very precise timing, which may be difficult to exploit in practice. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-287.html ∗∗∗ Xen XSA-285 ∗∗∗ --------------------------------------------- Malicious PV guests can escalate their privilege to that of the hypervisor. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-285.html ∗∗∗ Xen XSA-284 ∗∗∗ --------------------------------------------- The primary impact is a memory leak. Malicious or buggy guests with passed through PCI devices may also be able to escalate their privileges, crash the host, or access data belonging to other guests. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-284.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nss), openSUSE (procps), Red Hat (redhat-virtualization-host, rhvm-appliance, and vdsm), SUSE (freerdp, kernel, and obs-service-tar_scm), and Ubuntu (openssh). --------------------------------------------- https://lwn.net/Articles/781363/ ∗∗∗ Security Advisory - FRP Bypass Vulnerability on Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190305-… ∗∗∗ IBM Security Bulletin: A vulnerability in Spice affects PowerKVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-sp… ∗∗∗ IBM Security Bulletin: A vulnerability in Polkit affects PowerKVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-po… ∗∗∗ IBM Security Bulletin: A vulnerability in Bind affects PowerKVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-bi… ∗∗∗ IBM Security Bulletin: Vulnerabiliies in systemd affect PowerKVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabiliies-in-sys… ∗∗∗ IBM Security Bulletin: A vulnerability in Perl affects PowerKVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-pe… ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in WebSphere Application Server Admin Console (CVE-2019-4030) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-cross-site-scripting-… ∗∗∗ IBM Security Bulletin: A vulnerability in keepalived affects PowerKVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ke… ∗∗∗ IBM Security Bulletin: Vulnerabilities in the Linux Kernel affect PowerKVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabilities-in-th… ∗∗∗ IBM Security Bulletin: Vulnerabiliies in libmspack affect PowerKVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerabiliies-in-lib… ∗∗∗ IBM Security Bulletin: A vulnerability in NetworkManager affects PowerKVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-vulnerability-in-ne… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2019
by Daily end-of-shift report 04 Mar '19

04 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-03-2019 18:00 − Montag 04-03-2019 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Overlooked Security Threat of Sign-In Kiosks ∗∗∗ --------------------------------------------- New research from IBM shows that several visitor management systems had a rash of vulnerabilities. --------------------------------------------- https://www.wired.com/story/visitor-management-system-vulnerabilities ∗∗∗ Cisco-Router: Forscher melden Hinweise auf aktive Angriffe ∗∗∗ --------------------------------------------- Eine vergangene Woche gepatchte Sicherheitslücke in mehreren Cisco-Geräten scheint nun aktiv von Angreifern ausgenutzt zu werden. Nutzer sollten zügig handeln. --------------------------------------------- http://heise.de/-4325072 ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Adobe veröffentlicht Sicherheitsupdate für Coldfusion ∗∗∗ --------------------------------------------- Adobe hat für die Coldfusion-Versionen 11, 2016 und 2018 ein wichtiges Sicherheitsupdate veröffentlicht. Anwender sollten es möglichst schnell installieren. Der Grund sind laufende Angriffe. (Adobe, Sicherheitslücke) --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-adobe-veroeffentlicht-sicherhei… ∗∗∗ Frist verstrichen: Google enthüllt ungepatchte Schwachstelle im macOS-Kernel ∗∗∗ --------------------------------------------- Apple hat einen Bug in XNU nach 90 Tagen nicht beseitigt, nun wurden Details veröffentlicht. Googles Project Zero stuft die Schwere der Lücke als "hoch" ein. --------------------------------------------- http://heise.de/-4325636 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (chromium, file, gdm, lib32-openssl-1.0, openssl-1.0, and pcre), Debian (advancecomp, ceph, jackson-databind, openssh, and openssl), Fedora (community-mysql, distcc, freerdp, gdm, gnome-boxes, libexif, openocd, pidgin-sipe, remmina, SDL, and xpdf), openSUSE (kernel-firmware and php5), Oracle (java-1.8.0-openjdk and java-11-openjdk), Slackware (infozip and python), and SUSE (caasp-container-manifests, changelog-generator-data-sles12sp3-velum, --------------------------------------------- https://lwn.net/Articles/781243/ ∗∗∗ Vuln: EMC RSA Authentication Manager CVE-2019-3711 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/107210 ∗∗∗ IBM Security Bulletin: Potential WebSphere Application Server weakness in security affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-potential-websphere-a… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Change Data Capture is affected by a jackson-core open source library vulnerability (CVE-2018-0125) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-change… ∗∗∗ IBM Security Bulletin: InfoSphere Data Replication is affected by a Guava open source library vulnerability (CVE-2018-10237) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-infosphere-data-repli… ∗∗∗ IBM Security Bulletin: OpenSSL DSA signature algorithm security vulnerability affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-0734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-openssl-dsa-signature… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-3139, CVE-2018-3180) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-vulnerabilit… ∗∗∗ IBM Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1901) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-privilege-escalation-… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Change Data Capture is affected by a Jackson 2.3.3 and 2.4.4 open source library vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-change… ∗∗∗ IBM Security Bulletin: IBM Cloud Private middleware is vulnerable to attack from redirect calls ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-private-mid… ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private – CVE-2018-1938 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: A Security Vulnerability affects IBM Cloud Private – CVE-2018-1937 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-a-security-vulnerabil… ∗∗∗ IBM Security Bulletin: IBM Cloud Kubernetes Service is affected by a privilege escalation vulnerability in runc ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-kubernetes-… ∗∗∗ HPESBHF03913 rev.1 - HPE OneSphere, Container Breakout ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2019
by Daily end-of-shift report 01 Mar '19

01 Mar '19

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-02-2019 18:00 − Freitag 01-03-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Netzwerkanalyse: Wireshark 3.0 nutzt Paketsniffer von Nmap ∗∗∗ --------------------------------------------- Die aktuelle Version 3.0 des Werkzeugs zur Netzwerkanalyse, Wireshark, nutzt unter Windows den proprietären Paketsniffer von Nmap. Das Projekt entfernt außerdem alte Abhängigkeiten und unterstützt einige 5G-Protokolle. --------------------------------------------- https://www.golem.de/news/netzwerkanalyse-wireshark-3-0-nutzt-paketsniffer-… ∗∗∗ eBay-Phishing auf eBay-Seite ∗∗∗ --------------------------------------------- Betrügern ist es gelungen, eine gefälschte Login-Seite auf einem SSL-gesicherten eBay-Server abzulegen. Der Phishing-Versuch ist für Nutzer schwer erkennbar. --------------------------------------------- http://heise.de/-4324266 ∗∗∗ A Case Study in Wagging the Dog: Computer Takeover ∗∗∗ --------------------------------------------- Last month, Elad Shamir released a phenomenal, in depth post on abusing resource-based constrained delegation (RBCD) in Active Directory. One of the big points he discusses is that if the TrustedToAuthForDelegation UserAccountControl flag is not set, the S4U2self process will still work but the resulting TGS is not FORWARDABLE. This resulting service ticket will fail for traditional constrained delegation, but will still work in the S4U2proxy process for resource-based constrained delegation. --------------------------------------------- https://posts.specterops.io/a-case-study-in-wagging-the-dog-computer-takeov… ∗∗∗ Finding Perpetrators behind DDoS Attacks ∗∗∗ --------------------------------------------- Reflective Amplification Denial-of-Service attacks continue to be a serious threat.We measured roughly 10,000 attacks per day in a post last year, and the numbers have not gone down since:In the first two months of 2019 our honeypot network already saw [...] --------------------------------------------- https://sissden.eu/blog/finding-perpetrators-behind-ddos-attacks ===================== = Vulnerabilities = ===================== ∗∗∗ PSI GridConnect Telecontrol ∗∗∗ --------------------------------------------- This advisory provides mitigation recommendations for a cross-site scripting vulnerability reported in PSI GridConnects Telecontrol compact DIN rail device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-059-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, file, ikiwiki, ldb, openssl1.0, php7.0, uw-imap, and wordpress), Fedora (ansible, file, flatpak, kernel, kernel-headers, and python-django), openSUSE (kernel and systemd), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (openssl-1_1 and webkit2gtk3), and Ubuntu (libgd2). --------------------------------------------- https://lwn.net/Articles/781083/ ∗∗∗ IBM Security Bulletin: Information Disclosure Security Vulnerability Affects IBM Sterling B2B Integrator (CVE-2019-4063) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-information-disclosur… ∗∗∗ IBM Security Bulletin: Financial Transaction Manager for ACH Services is affected by a potential SQL Injection vulnerability (CVE-2019-4032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-financial-transaction… ∗∗∗ IBM Security Bulletin: Multiple Cross-Site Scripting Vulnerabilities Affect IBM Sterling B2B Integrator (CVE-2019-4027, CVE-2019-4028, CVE-2019-4029) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-cross-site-s… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private – Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities in OpenSSL Affect IBM Sterling B2B Integrator (CVE-2018-0734, CVE-2018-5407) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-security-vul… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Governance Catalog is affected by an Improper Access Control vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-govern… ∗∗∗ IBM Security Bulletin: IBM InfoSphere Governance Catalog is vulnerable to an Open Redirection vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-infosphere-govern… ∗∗∗ IBM Security Bulletin: IBM Security Identity Adapters affected by OpenSSL RSA Key vulnerability (CVE-2018-0737) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-security-identity… ∗∗∗ IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities for IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-has-announced-a-r… ∗∗∗ IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities for IBM WebSphere Liberty Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-has-announced-a-r… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2019
by Daily end-of-shift report 28 Feb '19

28 Feb '19

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-02-2019 18:00 − Donnerstag 28-02-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ENISA makes recommendations on EU-wide election cybersecurity ∗∗∗ --------------------------------------------- In the context of the upcoming elections for the European Parliament, today the EU Agency for Cybersecurity ENISA publishes an opinion paper on the cybersecurity of elections and provides concrete and forward-looking recommendations to improve the cybersecurity of electoral processes in the EU. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-makes-recommendations-on-… ∗∗∗ Schluss mit Krypto-Mining im Browser: Coinhive stellt Betrieb ein ∗∗∗ --------------------------------------------- Webseitenbesucher mehr oder minder freiwillig Kryptogeld schürfen lassen lohnt wohl nicht mehr: Der Krypto-Mining-Dienst Coinhive gibt auf. --------------------------------------------- http://heise.de/-4322936 ∗∗∗ Vorsicht beim Kauf von Konzertkarten über Facebook ∗∗∗ --------------------------------------------- Konsument/innen finden auf den Facebookseiten unterschiedlichster Konzerte und Events Ticket-Verkaufsangebote von Privatpersonen. Wer die Tickets kaufen möchte, tritt häufig in Kontakt mit Kriminellen, die Fake-Profile nutzen. Das Geld soll ins Ausland überwiesen werden, die Konzertkarten existieren nicht und die Nutzer/innenkonten der Betroffenen werden später für die gleiche Betrugsmasche missbraucht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-beim-kauf-von-konzertkarten… ∗∗∗ perfect-housekeeping.store und hauslinie.store sind Fake-Shops ∗∗∗ --------------------------------------------- Auf der Suche nach günstigen Haushaltsgeräten stoßen Sie womöglich auf perfect-housekeeping.store oder hauslinie.store. Kaffeemaschinen, Kühlschränke, Waschmaschinen und Co können dort deutlich günstiger als in anderen Shops erworben werden. Wir raten von einer Bestellung ab, denn die Ware kann ausschließlich vorab bezahlt werden. Geliefert wird jedoch nie! --------------------------------------------- https://www.watchlist-internet.at/news/perfect-housekeepingstore-und-hausli… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gpac, qemu, and sox), openSUSE (libqt5-qtbase), Red Hat (java-1.8.0-openjdk and java-11-openjdk), SUSE (bluez), and Ubuntu (nss and openssl, openssl1.0). --------------------------------------------- https://lwn.net/Articles/780960/ ∗∗∗ ZDI-19-230: (0day) Advantech WebAccess Node tv_enua Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-230/ ∗∗∗ ZDI-19-229: (0day) Advantech WebAccess Node spchapi Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-229/ ∗∗∗ ZDI-19-228: (0day) Microsoft Visual Studio settings XML External Entity Processing Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-19-228/ ∗∗∗ Security Advisory - FRP Bypass Vulnerability on Some Huawei Smartphones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20190228-… ∗∗∗ IBM Security Bulletin: IBM Cloud Private is affected by an issue with runc used by Docker ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-cloud-private-is-… ∗∗∗ IBM Security Bulletin: Kernel Buffer Overflow in IBM Security Trusteer Rapport for MacOS (CVE-2018-1985) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-kernel-buffer-overflo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2019
by Daily end-of-shift report 27 Feb '19

27 Feb '19

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-02-2019 18:00 − Mittwoch 27-02-2019 18:00 Handler: Dimitri Robl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Google Analytics and Angular in Magento Credit Card Stealing Scripts ∗∗∗ --------------------------------------------- Over the last few months, we’ve noticed several credit card-stealing scripts that use variations of the Google Analytics name to make them look less suspicious and evade detection by website owners. The malicious code is obfuscated and injected into legitimate JS files, such as skin/frontend/default/theme122k/js/jquery.jscrollpane.min.js, js/meigee/jquery.min.js, and js/varien/js.js. The obfuscated code loads another script from www.google-analytics[.]cm/analytics.js. Continue reading --------------------------------------------- https://blog.sucuri.net/2019/02/google-analytics-and-angular-in-magento-cre… ∗∗∗ Top ten most popular docker images each contain at least 30 vulnerabilities ∗∗∗ --------------------------------------------- [...] The findings show that in every docker image we scanned, we found vulnerable versions of system libraries. The official Node.js image ships 580 vulnerable system libraries, followed by the others each of which ship at least 30 publicly known vulnerabilities. --------------------------------------------- https://snyk.io/blog/top-ten-most-popular-docker-images-each-contain-at-lea… ∗∗∗ Thunderclap: Macs und PCs anfällig für bösartige Thunderbolt-Peripherie ∗∗∗ --------------------------------------------- Bestehende Schutzmechanismen reichen laut Sicherheitsforschern nicht aus, um Angriffe über USB-C-Peripherie abzuwehren. --------------------------------------------- http://heise.de/-4321946 ∗∗∗ Chrome Zero-Day Exploited to Harvest User Data via PDF Files ∗∗∗ --------------------------------------------- Exploit detection service EdgeSpot says it has spotted several PDF documents that exploit a zero-day vulnerability in Chrome to collect information on users who open the files through Google’s web browser. read more --------------------------------------------- https://www.securityweek.com/chrome-zero-day-exploited-harvest-user-data-pd… ∗∗∗ Ärger mit vermeintlich kostenlosen Bestellungen! ∗∗∗ --------------------------------------------- Zahlreiche Konsument/innen beschweren sich über Online-Shops wie vermano.de, vimabel.de, deinschmuckladen.com oder lieblings-mensch.com bei uns. Diese werben mit kostenlosen Produkten, für die lediglich Versandkosten anfallen. Die Bestellungen können viel Ärger mit sich bringen. So sind die sie beispielsweise minderwertig, kommen nicht an, führen zu hohen Mahngebühren oder Rücktritte sind nicht möglich. Wir raten von Einkäufen ab. --------------------------------------------- https://www.watchlist-internet.at/news/aerger-mit-vermeintlich-kostenlosen-… ===================== = Vulnerabilities = ===================== ∗∗∗ Moxa IKS, EDS ∗∗∗ --------------------------------------------- This advisory includes mitigations for classic buffer overflow, cross-site request forgery, cross-site scripting, improper access controls, improper restriction of excessive authentication attempts, missing encryption of sensitive data, out-of-bounds read, unprotected storage of credentials, predictable from observable state, and uncontrolled resource consumption vulnerabilities reported in the Moxa IKS and EDS industrial switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-19-057-01 ∗∗∗ Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools Update Service Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the update service of Cisco Webex Meetings Desktop App and Cisco Webex Productivity Tools for Windows could allow an authenticated, local attacker to execute arbitrary commands as a privileged user. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (elasticsearch and logstash), CentOS (java-1.8.0-openjdk, kernel, and polkit), Debian (chromium, exiv2, and phpmyadmin), Fedora (java-1.8.0-openjdk-aarch32 and mgetty), openSUSE (docker-runc, gvfs, qemu, systemd, and thunderbird), Oracle (java-1.8.0-openjdk, kernel, and polkit), Red Hat (polkit), Scientific Linux (java-1.8.0-openjdk, kernel, and polkit), Slackware (openssl), SUSE (amavisd-new, apache2, ceph, containerd, docker, docker-runc, [...] --------------------------------------------- https://lwn.net/Articles/780859/ ∗∗∗ IBM Security Bulletin: Vulnerability in the Linux kernel affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-vulnerability-in-the-… ∗∗∗ IBM Security Bulletin: Multiple Samba vulnerabilities affect IBM Spectrum Protect Plus (CVE-2018-1139, CVE-2018-1140, CVE-2018-10858, CVE-2018-10918, CVE-2018-10919) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-security-bulletin-multiple-samba-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily