- Daily - CERT.at

Tageszusammenfassung - 06.06.2018
by Daily end-of-shift report 06 Jun '18

06 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-06-2018 18:00 − Mittwoch 06-06-2018 18:00 Handler: Olaf Schwarz Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sofacy Group’s Parallel Attacks ∗∗∗ --------------------------------------------- Unit 42’s continued look at the Sofacy Group’s activity reveals the persistent targeting of government, diplomatic and other strategic organizations across North America and Europe.The post Sofacy Group’s Parallel Attacks appeared first on Palo Alto Networks Blog. --------------------------------------------- https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-pa… ∗∗∗ Converting PCAP Web Traffic to Apache Log ∗∗∗ --------------------------------------------- PCAP data can be really useful when you must investigate an incident but when the amount of PCAP files to analyse is counted in gigabytes, it may quickly become tricky to handle. Often, the first protocol to be analysed is HTTP because it remains a classic infection or communication vector used by malware. What if you could analyze HTTP connections like an Apache access log? This kind of log can be easily indexed/processed by many tools. --------------------------------------------- https://isc.sans.edu/diary/rss/23739 ∗∗∗ Researchers warn widespread Google Group misconfigurations are exposing sensitive data ∗∗∗ --------------------------------------------- A survey of 2.5 million domains looked for configurations publicly exposed, found 9,637 exposed organizations, then used a random sample of 171 public organizations to determine nearly 3,000 domains were leaking sensitive data. --------------------------------------------- https://www.scmagazine.com/researchers-find-widespread-google-group-misconf… ∗∗∗ VPNFilter Update - VPNFilter exploits endpoints, targets new devices ∗∗∗ --------------------------------------------- Cisco Talos, while working with our various intelligence partners, has discovered additional details regarding "VPNFilter." In the days since we first published our findings on the campaign, we have seen that VPNFilter is targeting more makes/models of devices than initially thought, and has additional capabilities, including the ability to deliver exploits to endpoints. --------------------------------------------- https://blog.talosintelligence.com/2018/06/vpnfilter-update.html ∗∗∗ Schwachstelle Zip Slip: Beim Entpacken ist Schadcode inklusive ∗∗∗ --------------------------------------------- Viele Coding-Bibliotheken sind beim Entpacken von Archiven angreifbar. Ist eine Attacke erfolgreich, könnte Schadcode auf Computer gelangen. --------------------------------------------- http://heise.de/-4070792 ∗∗∗ Warnung vor anenberg.store ∗∗∗ --------------------------------------------- Auf anenberg.store finden Konsument/innen Grafikkarten und Krypto-Miner. Wir raten von einem Einkauf bei dem Anbieter ab, denn er zeigt Auffälligkeiten. Internet-Nutzer/innen warnen vor einer Bestellung, die Preise sind teilweise sehr niedrig und die Bezahlung der Ware ist nur im Voraus möglich. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-anenbergstore/ ∗∗∗ Markenfälscher-Alarm auf backpacks.at! ∗∗∗ --------------------------------------------- Auf backpacks.at finden KonsumentInnen Schuhe und Taschen von Marken wie Michael Kors, Tamaris, Buffalo oder Ralph Lauren. Die Preise sind extrem niedrig und sollen zu einem schnellen Kauf verlocken. Die .at-Domain lässt zwar ein österreichisches Unternehmen vermuten, doch eigentlich wird der Shop aus Asien betrieben, gelieferte Ware entspricht nicht der Bestellten und ein Widerruf ist aussichtslos. --------------------------------------------- https://www.watchlist-internet.at/news/markenfaelscher-alarm-auf-backpacksa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (git), Fedora (php-symfony, php-symfony4, and thunderbird-enigmail), Mageia (glpi and libreoffice), openSUSE (dpdk-thunderxdpdk, git, and ocaml), SUSE (glibc, libvorbis, and zziplib), and Ubuntu (elfutils, git, and procps). --------------------------------------------- https://lwn.net/Articles/756761/ ∗∗∗ Philips IntelliVue Patient and Avalon Fetal Monitors ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-156-01 ∗∗∗ ABB IP Gateway ∗∗∗ --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-156-01 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ Internet Pass Thru ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016280 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Tivoli Storage Manager FastBack (CVE-2018-2602) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016679 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect IBM Spectrum Protect (Tivoli Storage Manager) Windows and Macintosh Client (CVE-2018-2603, CVE-2018-2633) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016042 ∗∗∗ IBM Security Bulletin: Apache Commons FileUpload vulnerability affects IBM Spectrum Protect Plus (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016826 ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by an OpenSSL vulnerability ( CVE-2017-3736) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016116 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2018
by Daily end-of-shift report 05 Jun '18

05 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Montag 04-06-2018 18:00 − Dienstag 05-06-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit ∗∗∗ --------------------------------------------- Hundreds of thousands of websites running on the Drupal CMS—including those of major educational institutions and government organizations around the world—have been found vulnerable to a highly critical flaw for which security .. --------------------------------------------- https://thehackernews.com/2018/06/drupalgeddon2-exploit.html ∗∗∗ IoT Botnets Found Using Default Credentials for C&C Server Databases ∗∗∗ --------------------------------------------- Not following cybersecurity best practices could not only cost online users but also cost cybercriminals. Yes, sometimes hackers dont take best security measures to keep their infrastructure safe. A variant of IoT botnet, called Owari, that relies on default or weak credentials to hack insecure IoT devices was found itself using default credentials in its MySQL server integrated with command --------------------------------------------- https://thehackernews.com/2018/06/iot-botnet-password.html ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗ --------------------------------------------- Für unsere täglichen Routineaufgaben suchen wir derzeit 1 Berufsein- oder -umsteiger/in mit ausgeprägtem Interesse an IT-Security, welche/r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich auf unserer Jobs-Seite. https://cert.at/about/jobs/jobs.html --------------------------------------------- https://www.cert.at/services/blog/20180605165955-2249.html ∗∗∗ Sicherheitsupdates: Mehrere AV-Anwendungen von F-Secure sind löchrig ∗∗∗ --------------------------------------------- In verschiedenen Endpoint-Protection-Produkten von F-Secure für Windows klaffen kritische Sicherheitslücken. --------------------------------------------- http://heise.de/-4068340 ∗∗∗ Vulnerability Spotlight: TALOS-2018-0535 - Ocularis Recorder VMS_VA Denial of Service Vulnerability ∗∗∗ --------------------------------------------- Vulnerabilities discovered by Carlos Pacho from TalosOverviewTalos is disclosing a denial-of-service vulnerability in the Ocularis Recorder. Ocularis is a video management software (VMS) platform used in a variety of .. --------------------------------------------- https://blog.talosintelligence.com/2018/06/vulnerability-spotlight-talos-20… ∗∗∗ Hacking, tracking, stealing and sinking ships ∗∗∗ --------------------------------------------- At Infosecurity Europe this year, we demonstrated multiple methods to interrupt the shipping industry, several of which haven’t been demonstrated in public before, to our knowledge. Some of these issues were simply through .. --------------------------------------------- https://www.pentestpartners.com/security-blog/hacking-tracking-stealing-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Aironet 1800, 2800, and 3800 Series Access Point Platforms ARP Request Handling Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability exists in Cisco Access Point (AP) platforms when processing Address Resolution Protocol (ARP) packets that could allow an unauthenticated, adjacent attacker to inject crafted entries into the ARP .. --------------------------------------------- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-… ∗∗∗ FortiSwitch rest_admin account exposed under specific conditions ∗∗∗ --------------------------------------------- During an upgrade to version 3.4.1, a FortiSwitch device may let an attackerlog in the rest_admin account without a password, if all the conditions beloware met: * The FortiSwitch device .. --------------------------------------------- http://fortiguard.com/advisory/FG-IR-16-011 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2018
by Daily end-of-shift report 04 Jun '18

04 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-06-2018 18:00 − Montag 04-06-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Mobile Devs Making the Same Security Mistakes Web Devs Made in the Early 2000s ∗∗∗ --------------------------------------------- Mobile app developers are going through the same growing pains that the webdev scene has gone through in the 90s and 2000s when improper input validation led to many security incidents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mobile-devs-making-the-same-… ∗∗∗ SMiShing with Punycode ∗∗∗ --------------------------------------------- Cybercriminals keep coming up with new ways to steal and profit from personal user data. Because mobile devices are so prevalent, and so capable, they are becoming the targets of a variety of cyberattacks that were previously limited to computers. One such attack technique is SMS phishing—SMiShing—in which attacks are delivered via text messages. --------------------------------------------- https://www.zscaler.com/blogs/research/smishing-punycode ∗∗∗ Scammers Targeting Booking.com Users with Phishing Messages ∗∗∗ --------------------------------------------- Scammers recently targeted Booking.com customers with phishing messages designed to steal their sensitive financial information. According to The Sun, criminals sent out WhatsApp messages and text messages to customers claiming that a security breach had occurred and that recipients needed to change their passwords. The attack correspondence came with a link that, when clicked, gave [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/cyber-s… ∗∗∗ Warnung vor SEPA-Lastschriftbetrug bei Unternehmen ∗∗∗ --------------------------------------------- Unternehmen, die ihre Bankdaten öffentlich haben, werden Opfer eines Betrugs, bei dem Kriminelle ihre Bankverbindung für Verbrechen nutzen. Die Täter/innen greifen auf das SEPA-Lastschriftverfahren zurück und täuschen einen Einzugsermächtigung oder einen Abbuchungsauftrag vor. In anderen Fällen nennen sie bei betrügerischen Einkäufen die Bankdaten des Unternehmens. Es droht ein hoher Geldverlust. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-sepa-lastschriftbetrug-b… ∗∗∗ Zahlen - Visa-Kreditkarten aufgrund Hardware-Fehlers unbenutzbar ∗∗∗ --------------------------------------------- Der Betrieb laufe nun wieder wie normal – es gebe keinen Hinweis auf einen kriminellen Angriff --------------------------------------------- https://derstandard.at/2000080869035/Visa-Kreditkarten-aufgrund-Hardware-Fe… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Security Updates, (Sun, Jun 3rd) ∗∗∗ --------------------------------------------- Summary (MacOS, iOS, tvOS, watchOS) --------------------------------------------- https://isc.sans.edu/diary/rss/23727 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (procps, xmlrpc, and xmlrpc3), Debian (batik, prosody, redmine, wireshark, and zookeeper), Fedora (jasper, kernel, poppler, and xmlrpc), Mageia (git and wireshark), Red Hat (rh-java-common-xmlrpc), Slackware (git), SUSE (bzr, dpdk-thunderxdpdk, and ocaml), and Ubuntu (exempi). --------------------------------------------- https://lwn.net/Articles/756489/ ∗∗∗ Jenkins-Plugins: Mehrere Schwachstellen ermöglichen u.a. das Ausführen beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1064/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security AppScan Enterprise ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016709 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2018
by Daily end-of-shift report 01 Jun '18

01 Jun '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-05-2018 18:00 − Freitag 01-06-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ May 2018 mobile malware review from Doctor Web ∗∗∗ --------------------------------------------- May 31, 2018 In May 2018 Doctor Web specialists found several Google Play applications containing the Trojan Android.Click.248.origin. It loaded fraudulent websites on which users subscribed to expensive mobile services. Also .. --------------------------------------------- https://news.drweb.com/show/?i=12618&lng=en&c=9 ∗∗∗ Shell Logins as a Magento Reinfection Vector ∗∗∗ --------------------------------------------- Recently, we have come across a number of websites that were facing reinfection of a credit card information stealer malware within the following files: app/Mage.php; lib/Varien/Autoload.php; index.php; app/code/core/Mage/Core/functions.php; These are .. --------------------------------------------- https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vecto… ∗∗∗ Rig Exploit Kit Now Using CVE-2018-8174 to Deliver Monero Miner ∗∗∗ --------------------------------------------- An exploit kit such as Rig usually starts off with a threat actor compromising a website to inject a malicious script/code that eventually redirects would-be victims to the exploit kit’s landing page. Sometime around .. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/rig-exploit-kit… ∗∗∗ Expired domain led to SpamCannibals blacklist eating the whole world ∗∗∗ --------------------------------------------- The domain of the little-used SpamCannibal DNS blacklist had expired, resulting in it .. --------------------------------------------- https://www.virusbulletin.com:443/blog/2018/05/expired-domain-led-spamcanni… ∗∗∗ Sicherheitslücke gefährdete zehn Jahre lang Millionen Steam-Client-Nutzer ∗∗∗ --------------------------------------------- Der Steam-Client war verwundbar und Angreifer hätten mit vergleichsweise wenig Aufwand Schadcode auf Computer schmuggeln können. --------------------------------------------- http://heise.de/-4061777 ∗∗∗ Browser - WebAuthn: Bei Chrome kann man sich vielerorts nun ohne Passwort anmelden ∗∗∗ --------------------------------------------- Fingerabdruckscanner oder spezielle USB-Sticks können stattdessen verwendet werden --------------------------------------------- https://derstandard.at/2000080745632/WebAuthn-Bei-Chrome-kann-man-sich-viel… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco TelePresence TX9000 Series Cross-Frame Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web UI of Cisco TelePresence TX9000 Series Software could allow an unauthenticated, remote attacker to conduct a cross-frame scripting (XFS) attack against a user of the web UI of the .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Synology-SA-18:30 SSL VPN Client ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to conduct man-in-the-middle attacks via a susceptible version of SSL VPN Client. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_30 ∗∗∗ HPESBUX03818 rev.1 - HP-UX Secure Shell, Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2018
by Daily end-of-shift report 30 May '18

30 May '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-05-2018 18:00 − Mittwoch 30-05-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ultraschallangriffe bringen Festplatten zum Absturz ∗∗∗ --------------------------------------------- Sicherheitsforscher haben mit Schall- und Ultraschallattacken Videoüberwachungssyteme, aber auch PCs und Laptops außer Gefecht gesetzt. --------------------------------------------- https://futurezone.at/science/ultraschallangriffe-bringen-festplatten-zum-a… ∗∗∗ Yahoo-Hack: Kanadier zu fünf Jahren Gefängnis verurteilt ∗∗∗ --------------------------------------------- Für den russischen Geheimdienst beschaffte ein Hacker den Zugang zu 80 Webmail-Konten durch Eindringen in das Yahoo-System. Jetzt muss er ins Gefängnis. --------------------------------------------- http://heise.de/-4060708 ∗∗∗ Roboter Pepper kämpft mit massiven Sicherheitsproblemen ∗∗∗ --------------------------------------------- Die "feindliche" Übernahme von einem Roboter ist ein Horrorszenario. Beim Service-Roboter Pepper ist das möglich, wie Wissenschaftler herausgefunden haben. --------------------------------------------- http://heise.de/-4060743 ∗∗∗ Will the Real Joker’s Stash Come Forward? ∗∗∗ --------------------------------------------- For as long as scam artists have been around so too have opportunistic thieves who specialize in ripping off other scam artists. This is the story about a group of Pakistani Web site designers who apparently have made an impressive living impersonating some of the most popular and well known "carding" markets, or online stores that sell stolen credit cards. --------------------------------------------- https://krebsonsecurity.com/2018/05/will-the-real-jokers-stash-come-forward/ ∗∗∗ 0patching Foxit Reader Buffer... Oops... Integer Overflow (CVE-2017-17557) ∗∗∗ --------------------------------------------- In April, Steven Seeley of Source Incite published a report of a vulnerability in Foxit Reader and PhantomPDF versions up to 9.0.1 that could allow for remote code execution on a target system. Public release of this report was coordinated with an official vendor fix included in the Aprils Foxit Reader and PhantomPDF 9.1. release.According to our analysis the PoC attached to the report triggers a heap-based buffer overflow in a Bitmap image data copy operation .. --------------------------------------------- http://blog.0patch.com/2018/05/0patching-foxit-reader-buffer-oops.html ∗∗∗ Cookie consent script used to distribute malware ∗∗∗ --------------------------------------------- Since the new website cookie usage regulations in the EU have come into place, many websites have added a warning on their website about how they use cookies on it and as well, ask for your consent. ]]> --------------------------------------------- http://labs.sucuri.net/?note=2018-05-29 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4212 git - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4212 ∗∗∗ DSA-4213 qemu - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4213 ∗∗∗ Potential XSS in "CSRF validation failure" page due to lack of referer sanitization ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-18-059 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.05.2018
by Daily end-of-shift report 29 May '18

29 May '18

===================== = End-of-Day report = ===================== Timeframe: Montag 28-05-2018 18:00 − Dienstag 29-05-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cobalt Hacking Group Still Active Despite Leaders Arrest ∗∗∗ --------------------------------------------- Despite their leaders arrest in Spain two months ago, the Cobalt hacker group thats specialized in stealing money from banks and financial institutions has remained active, even launching a new campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-still-a… ∗∗∗ 2018 Fraud World Cup ∗∗∗ --------------------------------------------- There are only two weeks to go before the start of the massive soccer event - FIFA World Cup. This championship has already attracted the attention of millions worldwide, including a fair few cybercriminals. Long before kick-off, email accounts began bulging with soccer-related spam, and scammers started exploiting the topic in mailings and creating World Cup-themed phishing pages. --------------------------------------------- https://securelist.com/2018-fraud-world-cup/85878/ ∗∗∗ Qihoo 360 discovers high-risk security issues in EOS, says 80% digital wallets have problems ∗∗∗ --------------------------------------------- Blockchain platform EOS is facing a series of high-risk security vulnerabilities, according to Chinese cybersecurity company Qihoo 360 which published a report on May 29. The company's Vulcan team discovered that attacks can be remotely executed on the EOS node, TechNode's Chinese sister site reports. --------------------------------------------- https://technode.com/2018/05/29/qihoo-360-security-issues-eos/ ∗∗∗ New LTS Release ∗∗∗ --------------------------------------------- Back around the end of 2014 we posted our release strategy. This was the first time we defined support timelines for our releases, and added the concept of an LTS (long-term support) release. At our OMC meeting earlier this month, we picked our next LTS release. This post walks through that announcement, and tries to explain all the implications of it. --------------------------------------------- https://www.openssl.org/blog/blog/2018/05/18/new-lts/ ∗∗∗ Kritische Lücken in IBMs Sicherheits-Lösung QRadar ∗∗∗ --------------------------------------------- Ausgerechnet in der Sicherheitslösung QRadar, die Angriffe aufdecken und verhindern soll, klafften kritische Lücken, die externen Angreifern vollen Zugriff gewährten. --------------------------------------------- http://heise.de/-4060177 ∗∗∗ Keine 359,88 Euro an MEDIA ADVICE LIMITED bezahlen! ∗∗∗ --------------------------------------------- Die betrügerische Media Advice Limited betreibt verschiedene Streaming-Plattformen, wie tutoflix.de, soloflix.de oder megaflix.de. InteressentInnen sollen sich auf den Websites registrieren, um Zugriff auf das Film-Angebot zu bekommen. Wer den Anweisungen folgt, wird böse überrascht, denn die Registrierung führt zu einer Premium-Mitgliedschaft, die Kosten von 359,88 Euro pro Jahr verursacht. Der Betrag sollte auf keinen Fall bezahlt werden, denn ein gültiger Vertrag kam --------------------------------------------- https://www.watchlist-internet.at/news/keine-35988-euro-an-media-advice-lim… ===================== = Vulnerabilities = ===================== ∗∗∗ GNU Barcode 0.99 Memory Leak ∗∗∗ --------------------------------------------- GNU Barcode suffers from a memory leak vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the cmdline.c, which can be exploited to cause a memory leak via a specially crafted file. The vulnerability is confirmed in version 0.99. Other versions may also be affected. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5471.php ∗∗∗ GNU Barcode 0.99 Buffer Overflow ∗∗∗ --------------------------------------------- The vulnerability is caused due to a boundary error in the processing of an input file, which can be exploited to cause a buffer overflow when a user processes e.g. a specially crafted file. Successful exploitation could allow execution of arbitrary code on the affected machine. --------------------------------------------- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5470.php ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (wireshark), Fedora (kernel), openSUSE (enigmail), Red Hat (kernel), SUSE (cairo, java-1_7_0-ibm, libvirt, perl-DBD-mysql, and xen), and Ubuntu (batik and isc-dhcp). --------------------------------------------- https://lwn.net/Articles/755884/ ∗∗∗ WordPress plugin "Site Reviews" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60978548/ ∗∗∗ WordPress plugin "Email Subscribers & Newsletters" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN16471686/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014445 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and WebSphere Message Broker ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016387 ∗∗∗ Unprotected WiFi access & Unencrypted data transfer in Vgate iCar2 OBD2 Dongle ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/unprotected-wifi-access-unen… ∗∗∗ Spring Framework vulnerability CVE-2018-1258 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18193959 ∗∗∗ HPESBHF03852 rev.1 - HPE Intelligent Management Center (iMC) Wireless Service Manager (WSM) Software, Remote Code Execution ∗∗∗ --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2018
by Daily end-of-shift report 28 May '18

28 May '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-05-2018 18:00 − Montag 28-05-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Capture and Analysis of User Agents, (Sun, May 27th) ∗∗∗ --------------------------------------------- ISC collects web logs which also includes User-Agents. If you are running a honeypot or a web server, it is fairly easy to quickly use some Regex to parse the logs and get a count of what is most commonly seen. This is some of the activity I have observed over the past week, some well know user-agent associated with valid browser versions and some custom that are telltale to hacking tools: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/23705 ∗∗∗ NCSC-NL/taranis3 ∗∗∗ --------------------------------------------- NCSC-NL has published their internal workflow management tool "Taranis" on GitHub. This makes it easier for the community to contribute to future developments. --------------------------------------------- https://github.com/NCSC-NL/taranis3/ ∗∗∗ VPNFilter-Botnetz: US-Behörden raten dringend zu Router- und NAS-Neustart ∗∗∗ --------------------------------------------- Weil wichtige Teile der Infrastruktur des Botnetzes VPNFilter gekapert wurden, kann ein Neustart die Infektion entschärfen. Deswegen raten FBI und US-Justizministerium zum Neustart von SOHO-Routern und NAS-Geräten. --------------------------------------------- https://www.heise.de/-4059341 ∗∗∗ Efail: Empfohlener Workaround für Apple Mail und PGP schützt offenbar nicht ∗∗∗ --------------------------------------------- Apples E-Mail-Client mit GPG Suite kann verschlüsselte Mails einem Bericht zufolge weiterhin preisgeben, auch wenn der Nutzer das Laden entfernter Inhalte deaktiviert hat. Die Anzeige von HTML-Mails lässt sich in Apple Mail nicht komplett abschalten. --------------------------------------------- http://heise.de/-4059867 ∗∗∗ Attackers Fake Computational Power to Steal CryptoCurrencies from Mining Pools ∗∗∗ --------------------------------------------- Recently, we detected a new type of attack which targets some equihash mining pools. After analysis, we found out the attacked equihash mining pools are [...] --------------------------------------------- https://blog.360totalsecurity.com/en/attackers-fake-computational-power-ste… ∗∗∗ Warnung vor mmg-tennis.de ∗∗∗ --------------------------------------------- Im Webstore mmg-tennis.de finden Konsument/innen günstige Markenware. Bei dieser handelt es sich um Produktfälschungen. Kund/innen, die bei mmg-tennis.de einkaufen, müssen deshalb mit zahlreichen Nachteilen und überhöhten Geldabbuchungen rechnen. Wir raten daher dringend von einem Einkauf bei mmg-tennis.de ab. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-mmg-tennisde/ ===================== = Vulnerabilities = ===================== ∗∗∗ 2018-1014: Moodle: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- Eine Schwachstelle in Moodle ermöglicht einem entfernten, einfach authentifizierten Angreifer mit der Berechtigung, Berechnungsfragen zu erstellen, die Ausführung beliebigen Programmcodes ( https://moodle.org/mod/forum/discuss.php?d=371199#p1496353 ). Mehrere weitere Schwachstellen [...] --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-1014/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (batik, cups, gitlab, ming, and xdg-utils), Fedora (dpdk, firefox, glibc, nodejs-deep-extend, strongswan, thunderbird, thunderbird-enigmail, wavpack, xdg-utils, and xen), Gentoo (ntp, rkhunter, and zsh), openSUSE (Chromium, GraphicsMagick, jasper, opencv, pdns, and wireshark), SUSE (jasper, java-1_7_1-ibm, krb5, libmodplug, and openstack-nova), and Ubuntu (thunderbird). --------------------------------------------- https://lwn.net/Articles/755796/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016544 ∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Cloud Orchestrator and Cloud Orchestrator Enterprise update of IBM® SDK Java™ Technology Edition and IBM® Runtime Environment Java™ ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000370 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2018
by Daily end-of-shift report 25 May '18

25 May '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-05-2018 18:00 − Freitag 25-05-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Z-Shave Attack Could Impact Over 100 Million IoT Devices ∗∗∗ --------------------------------------------- The Z-Wave wireless communications protocol used for some IoT/smart devices is vulnerable to a downgrade attack that can allow a malicious party to intercept and tamper with traffic between smart devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/z-shave-attack-could-impact-… ∗∗∗ Electron: Was es mit dem Patch des Patches auf sich hat... ∗∗∗ --------------------------------------------- Die Entwickler von Electron haben in der vorigen Woche einen Patch für den Januar-Patch ihres Cross-Plattform-Frameworks zur Erstellung von Desktop-Apps veröffentlicht. Ein Sicherheitsforscher von Doyensec erläuterte nun, warum das notwendig war. --------------------------------------------- https://www.heise.de/-4058755 ∗∗∗ Gefälschter Überweisungsauftrag für Vereins-Kassier/innen ∗∗∗ --------------------------------------------- Vereins-Kassier/innen erhalten eine angebliche Benachrichtigung ihrer Obfrau oder ihres Obmanns, in der es heißt, dass der Verein dringend Geld ins Ausland überweisen müsse. Kommen sie der Aufforderung nach, verliert der Verein Geld, denn das Schreiben stammt von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschter-ueberweisungsauftrag-fu… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#338343: strongSwan VPN charon server vulnerable to buffer underflow ∗∗∗ --------------------------------------------- [...] strongSwan VPNs charon server prior to version 5.6.3 does not check packet length and may allow buffer underflow, resulting in denial of service. --------------------------------------------- http://www.kb.cert.org/vuls/id/338343 ∗∗∗ BeaconMedaes TotalAlert Scroll Medical Air Systems ∗∗∗ --------------------------------------------- This medical device advisory includes mitigations for improper access controls, insufficiently protected credentials, and unprotected storage of credentials vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-144-01 ∗∗∗ Schneider Electric Floating License Manager ∗∗∗ --------------------------------------------- This advisory includes mitigations for heap-based buffer overflow, improper restriction of operations within the bounds of a memory buffer, and open redirect vulnerabilities in the Schneider Electric Floating License Manager. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-144-01 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind, libofx, and thunderbird), Debian (thunderbird, xdg-utils, and xen), Fedora (procps-ng), Mageia (gnupg2, mbedtls, pdns, and pdns-recursor), openSUSE (bash, GraphicsMagick, icu, and kernel), Oracle (thunderbird), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, and thunderbird), Scientific Linux (thunderbird), and Ubuntu (curl). --------------------------------------------- https://lwn.net/Articles/755667/ ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by an Application Error vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016515 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by an Incorrect Permission Assignment for Critical Resource vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016132 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Query Parameter in SSL Request vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016131 ∗∗∗ IBM Security Bulletin: IBM Spectrum Control (formerly IBM Tivoli Storage Productivity Center) is affected by a vulnerability in Apache CXF (CVE-2017-12624) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014053 ∗∗∗ IBM Security Bulletin: Open Source Apache CXF Vulnerabilities affects IBM Spectrum LSF Explorer ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027368 ∗∗∗ IBM Security Bulletin: API Connect Developer Portal is affected by a PHP vulnerability (CVE-2017-7272) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016607 ∗∗∗ IBM Security Bulletin: IBM Spectrum Control (formerly IBM Tivoli Storage Productivity is affected by an OpenSSL vulnerabilitiy (CVE-2018-0739) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015614 ∗∗∗ IBM Security Bulletin: IBM FileNet Image Services is affected by GSKit and GSKit-Crypto vulnerabilities ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014741 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2017-1788 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014729 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Cross-Site Scripting vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016512 ∗∗∗ IBM Security Bulletin: IBM Security Guardium Big Data Intelligence (SonarG) is affected by a Session Identifier Not Updated vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016513 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2018
by Daily end-of-shift report 24 May '18

24 May '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-05-2018 18:00 − Donnerstag 24-05-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ===================== = Vulnerabilities = ===================== ∗∗∗ Schneider Electric Patches XXE Vulnerability In Software ∗∗∗ --------------------------------------------- Schneider Electric on Tuesday issued fixes for a vulnerability its SoMachine Basic software that could result in disclosure and retrieval of arbitrary data. --------------------------------------------- https://threatpost.com/schneider-electric-patches-xxe-vulnerability-in-plcs… ∗∗∗ Bugtraq: [security bulletin] MFSBGN03808 rev.1 - Micro Focus UCMDB, Cross-Site Scripting ∗∗∗ --------------------------------------------- A potential security vulnerability has been identified in Micro Focus Universal CMDB/CMS and Micro Focus UCMDB Browser. The vulnerability could be remotely exploited to allow Cross-Site Scripting (XSS). References: CVE-2018-6495 - Corss-Site Scripting (XSS) --------------------------------------------- http://www.securityfocus.com/archive/1/542037 ∗∗∗ Vuln: Apache Batik CVE-2018-8013 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- Apache Batik is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. Apache Batik 1.9.1 and prior versions are vulnerable. --------------------------------------------- http://www.securityfocus.com/bid/104252 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick), Fedora (curl, glibc, kernel, and thunderbird-enigmail), openSUSE (enigmail, knot, and python), Oracle (procps-ng), Red Hat (librelp, procps-ng, redhat-virtualization-host, rhev-hypervisor7, and unboundid-ldapsdk), Scientific Linux (procps-ng), SUSE (bash, ceph, icu, kvm, and qemu), and Ubuntu (procps and spice, spice-protocol). --------------------------------------------- https://lwn.net/Articles/755540/ ∗∗∗ IBM Security Bulletin: IBM i has released PTFs in response to the vulnerabilities known as Spectre and Meltdown. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022433&myns=ibmi&mynp=O… ∗∗∗ IBM Security Bulletin: IBM has released the following fixes for AIX and VIOS in response to Speculative Store Bypass (SSB), also known as Variant 4. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027700 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in OpenSLP (CVE-2017-17833) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099807 ∗∗∗ IBM Security Bulletin: IBM Integrated Management Module (IMM) is affected by vulnerability in OpenSLP (CVE-2017-17833) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099806 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect db2exmig and db2exfmt tools shipped with IBM® Db2® (CVE-2018-1544, CVE-2018-1565) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016143 ∗∗∗ IBM Security Bulletin: Buffer overflow in the db2convert tool shipped with IBM® Db2® (CVE-2018-1515). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016140 ∗∗∗ IBM Security Bulletin: Buffer overflow in IBM® Db2® tool db2licm (CVE-2018-1488). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016141 ∗∗∗ IBM Security Bulletin: IBM® Db2® is vulnerable to buffer overflow (CVE-2018-1459). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016142 ∗∗∗ IBM Security Bulletin: IBM® Db2® is affected by multiple file overwrite vulnerabilities (CVE-2018-1450, CVE-2018-1449, CVE-2018-1451, CVE-2018-1452) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016181 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015656 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MQ ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016278 ∗∗∗ IBM Security Bulletin: IBM NeXtScale Fan Power Controller (FPC) is affected by OpenSLP vulnerability (CVE-2017-17833) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099809 ∗∗∗ IBM Security Bulletin: IBM Chassis Management Module (CMM) is affected by OpenSLP vulnerability (CVE-2017-17833) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099808 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects WebSphere Application Server April 2018 CPU ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016282 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2018
by Daily end-of-shift report 23 May '18

23 May '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-05-2018 18:00 − Mittwoch 23-05-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Backdoor Account Found in D-Link DIR-620 Routers ∗∗∗ --------------------------------------------- Security researchers have found a backdoor account in the firmware of D-Link DIR-620 routers that allows hackers to take over any device reachable via the Internet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/backdoor-account-found-in-d-… ∗∗∗ Six Vulnerabilities Found in Dell EMC's Disaster Recovery System, One Critical ∗∗∗ --------------------------------------------- A pen-tester has found five vulnerabilities in Dell EMC RecoverPoint devices, including a critical RCE that could allow total system compromise. --------------------------------------------- https://threatpost.com/six-vulnerabilities-found-in-dell-emcs-disaster-reco… ∗∗∗ VPNFilter – is a malware timebomb lurking on your router? ∗∗∗ --------------------------------------------- A Cisco paper reports on zombie malware that has apparently infected more than 500,000 home routers. --------------------------------------------- https://nakedsecurity.sophos.com/2018/05/23/vpnfilter-is-a-malware-timebomb… ∗∗∗ An Old Trick with a New Twist: Cryptomining Through Disguised URL Shorteners ∗∗∗ --------------------------------------------- As we have previously discussed on this blog, surreptitious cryptomining continues to be a problem as new methods emerge to both evade and hasten the ease of mining at the expense of system administrators, website owners, and their visitors. Another Way Hackers are Tricking Website Visitors into Stealth Cryptomining [...] --------------------------------------------- https://blog.sucuri.net/2018/05/cryptomining-through-disguised-url-shortene… ∗∗∗ CPU-Sicherheitslücken Spectre-NG: Updates und Info-Links ∗∗∗ --------------------------------------------- Hersteller von Hardware, Betriebssystemen und Software stellen Webseiten mit Informationen und Sicherheitsupdates für die neuen Spectre-Lücken Spectre V3a und Spectre V4 bereit: Ein Überblick. --------------------------------------------- https://www.heise.de/ct/artikel/CPU-Sicherheitsluecken-Spectre-NG-Updates-u… ∗∗∗ Angreifer könnten aktuelle BMW-Modelle über Mobilfunk kapern ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Sicherheitslücken im Infotainment-System von verschiedenen BMW-Modellen ausgenutzt und so die Kontrolle übernommen. Ein Angriff aus der Ferne ist aber ziemlich aufwendig. --------------------------------------------- https://www.heise.de/security/meldung/Angreifer-koennten-aktuelle-BMW-Model… ∗∗∗ Efail: Welche E-Mail-Clients sind wie sicher? ∗∗∗ --------------------------------------------- Nach Veröffentlichung der Efail-Lücken in PGP und S/MIME herrscht unter Anwendern, die ihre E-Mails verschlüsseln viel Verunsicherung. Wir haben uns im Detail angeschaut, welche E-Mail-Programme bisher wie abgesichert wurden. --------------------------------------------- https://www.heise.de/security/meldung/Efail-Welche-E-Mail-Clients-sind-wie-… ∗∗∗ Angebliche Lilihill DevCon GmbH versendet Schadsoftware ∗∗∗ --------------------------------------------- Betrüger versenden als angebliche Lilihill DevCon GmbH massenhaft Schadsoftware an Unternehmen. EmpfängerInnen finden eine E-Mail von sales(a)european-gmbh.pw mit dem Betreff "AW: Zahlung – EWT" in ihrem Posteingang. Darin werden Betroffene dazu aufgefordert eine ZIP-Datei aus dem Anhang der Mail zu öffnen. Doch Vorsicht! Die Datei enthält Schadsoftware und darf nicht geöffnet werden. --------------------------------------------- https://www.watchlist-internet.at/news/angebliche-lilihill-devcon-gmbh-vers… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Workstation und Fusion: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Die Virtualisierungssoftware von VMware ermöglicht die simultane Ausführung von verschiedenen Betriebssystemen auf einem Host-System. --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2018/05/warn… ∗∗∗ [20180505] - Core - XSS Vulnerabilities & additional hardening ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Versions: 3.0.0 through 3.8.7 --------------------------------------------- https://developer.joomla.org/security-centre/733-20180505-core-xss-vulnerab… ∗∗∗ Synology-SA-18:25 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject arbitrary web script or HTML via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_18_25 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, libvirt, and qemu-kvm), Debian (procps), Fedora (curl, mariadb, and procps-ng), Gentoo (samba, shadow, and virtualbox), openSUSE (opencv, openjpeg2, pdns, qemu, and wget), Oracle (java-1.8.0-openjdk and kernel), Red Hat (java-1.7.0-openjdk, java-1.8.0-openjdk, kernel, kernel-rt, libvirt, qemu-kvm, qemu-kvm-rhev, redhat-virtualization-host, and vdsm), Scientific Linux (java-1.7.0-openjdk, [...] --------------------------------------------- https://lwn.net/Articles/755386/ ∗∗∗ Vuln: Apache Solr CVE-2018-8010 XML External Entity Multiple Information Disclosure Vulnerabilities ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/104239 ∗∗∗ Security Advisory - Three JSON Injection Vulnerabilities in Huawei Some Products ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-advisories/2018/hua… ∗∗∗ Security Advisory - Information Exposure Vulnerability in Some Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-advisories/2018/hua… ∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Some Huawei Servers ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-advisories/2018/hua… ∗∗∗ Security Advisory - Numeric Errors Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-advisories/2018/hua… ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Netezza Firmware Diagnostics. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012498 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9 and IBM BigFix Inventory v9 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015655 ∗∗∗ IBM Security Bulletin: Apache Tomcat vulnerability affects IBM Storwize V7000 Unified (CVE-2017-15706) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012273 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect the IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012293 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affects IBM Storwize V7000 Unified ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012274 ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Impact is affected by a potential spoofing attack in IBM WebSphere Application Server vulnerability (CVE-2017-1788) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016546 ∗∗∗ IBM Security Bulletin: Multiple Samba vulnerability affects IBM Storwize V7000 Unified (CVE-2017-15275, CVE-2017-14746 ) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012289 ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Impact is affected by a potential denial of service used by IBM WebSphere Application Server vulnerability (CVE-2017-12624) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016545 ∗∗∗ IBM Security Bulletin: Authenticated Users in IBM UrbanCode Deploy can Obtain Secure Properties (CVE-2017-1752) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000376 ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Commons FileUpload affects Tivoli Netcool/OMNIbus WebGUI (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016488 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2018
by Daily end-of-shift report 22 May '18

22 May '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-05-2018 18:00 − Dienstag 22-05-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitsupdates: Attacken auf DrayTek-Router ∗∗∗ --------------------------------------------- Unbekannte Angreifer haben es derzeit auf verschiedene Router von DrayTek abgesehen. Ist ein Übergriff erfolgreich, verbiegen sie die DNS-Einstellungen. --------------------------------------------- https://heise.de/-4053059 ===================== = Vulnerabilities = ===================== ∗∗∗ VU#180049: CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks ∗∗∗ --------------------------------------------- CPU hardware utilizing speculative execution may be vulnerable to cache timing side-channel analysis. Also known as "Variant 4" or "SpectreNG". --------------------------------------------- http://www.kb.cert.org/vuls/id/180049 ∗∗∗ Firewall information leak to regular SSL VPN web portal users ∗∗∗ --------------------------------------------- A SSL VPN user logged in via the web portal can access internal FortiOS configuration information (eg: addresses) via specifically crafted URLs. --------------------------------------------- https://fortiguard.com/psirt/FG-IR-17-231 ∗∗∗ Xen Security Advisory CVE-2018-3639 / XSA-263 ∗∗∗ --------------------------------------------- However, in most configurations, within-guest information leak is possible. Mitigation for this generally depends on guest changes (for which you must consult your OS vendor) *and* on hypervisor support, provided in this advisory. --------------------------------------------- http://xenbits.xen.org/xsa/advisory-263.html ∗∗∗ HPSBHF02981 rev.3 - HPE Integrated Lights-Out 2, 3, 4, 5 (iLO 2, iLO 3, iLO 4, and iLO 5) and HPE Superdome Flex RMC - IPMI 2.0 RCMP+ Authentication Remote Password Hash Vulnerability (RAKP) ∗∗∗ --------------------------------------------- A potential security vulnerability has been identified in HPE Integrated Lights-Out 2, 3, 4, 5 (iLO 2, iLO 3, iLO 4, and iLO 5) and HPE Superdome Flex RMC. The vulnerability could be exploited to allow an attacker to gain unauthorized privileges and unauthorized access to privileged information. --------------------------------------------- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_n… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, and libcurl-gnutls), CentOS (firefox), Debian (imagemagick), Fedora (exiv2, LibRaw, and love), Gentoo (chromium), Mageia (kernel, librelp, and miniupnpc), openSUSE (curl, enigmail, ghostscript, libvorbis, lilypond, and thunderbird), Red Hat (Red Hat OpenStack Platform director), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/755076/ ∗∗∗ Security vulnerabilities fixed in Thunderbird 52.8 ∗∗∗ --------------------------------------------- * CVE-2018-5183: Backport critical security fixes in Skia * CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack * CVE-2018-5154: Use-after-free with SVG animations and clip paths * CVE-2018-5155: Use-after-free with SVG animations and text paths ... --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/ ∗∗∗ Security Notice -Statement on the Side-Channel Vulnerability Variants 3a and 4 ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-notices/2018/huawei… ∗∗∗ Security Advisory - Stack Overflow Vulnerability in Baseband Module of Some Huawei Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com//www.huawei.com/en/psirt/security-advisories/2017/hua… ∗∗∗ IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Platform Symphony, IBM Spectrum Symphony (CVE-2017-15698, CVE-2017-15706, CVE-2018-1323, CVE-2018-1305, CVE-2018-1304) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027633 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the GSKit component of Tivoli Netcool/OMNIbus ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg21974627 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Tivoli Netcool/OMNIbus (Multiple CVEs) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012415 ∗∗∗ IBM Security Bulletin: A vulnerability in Apache Commons FileUpload affects the IBM Performance Management product (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016122 ∗∗∗ IBM Security Bulletin: Atlas eDiscovery Process Management is affected by Apache Open Source Commons FileUpload Vulnerability ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014477 ∗∗∗ IBM Security Bulletin: Open Source Commons FileUpload Apache Vulnerabilities (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016234 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects the IBM Performance Management product (CVE-2017-1681) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015310 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM SONAS ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012317 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016185 ∗∗∗ IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012291 ∗∗∗ IBM Security Bulletin: Multiple Samba vulnerabilities affect IBM SONAS ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012292 ∗∗∗ Java Bouncy Castle vulnerability CVE-2015-7940 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10105323 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.05.2018
by Daily end-of-shift report 18 May '18

18 May '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-05-2018 18:00 − Freitag 18-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DrayTek Router Zero-Day Under Attack ∗∗∗ --------------------------------------------- DrayTek, a Taiwan-based manufacturer of broadband CPE (Customer Premises Equipment) such as routers, switches, firewalls, and VPN devices, announced today that hackers are exploiting a zero-day vulnerability to change DNS settings on some of its routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/draytek-router-zero-day-unde… ∗∗∗ Business Email Compromise incidents, (Fri, May 18th) ∗∗∗ --------------------------------------------- Over the past 12 months we have seen a sharp increase in the number of incidents relating to the compromise of business emails. Often O365, but also some Gmail and on premise systems with webmail access. --------------------------------------------- https://isc.sans.edu/diary/rss/23669 ∗∗∗ MEWKit phishing campaign steals MyEtherWallet credentials to perform automated fund transfers ∗∗∗ --------------------------------------------- The cybercriminals who last April executed a man-in-the-middle attack on a Amazon DNS server to steal $152,000 in Ethereum cryptocurrency from MyEtherWallet.com pulled off their heist using a newly discovered phishing kit that includes an automated transfer system (ATS) malware component. --------------------------------------------- https://www.scmagazine.com/mewkit-phishing-campaign-steals-myetherwallet-cr… ∗∗∗ WordPress 4.9.6 Privacy and Maintenance Release ∗∗∗ --------------------------------------------- WordPress 4.9.6 is now available. This is a privacy and maintenance release. We encourage you to update your sites to take advantage of the new privacy features. --------------------------------------------- https://wordpress.org/news/2018/05/wordpress-4-9-6-privacy-and-maintenance-… ∗∗∗ Spectre-NG: Patches für Pfingstmontag erwartet ∗∗∗ --------------------------------------------- Achtung bei der Urlaubsplanung: Intel bereitet für den 21. Mai Updates gegen die ersten Spectre-Next-Generation-Lücken vor. Parallel dazu wird es dazu dann wohl auch endlich konkrete Informationen zu den Lücken geben. --------------------------------------------- https://www.heise.de/-4051247 ∗∗∗ Updates fixen böses Loch in Signals Desktop-App ∗∗∗ --------------------------------------------- Mit einfachen Nachrichten konnte ein Angreifer HTML-Code in die Desktop-App des verschlüsselnden Messengers einschleusen und damit sogar alle Nachrichten seines Opfers auslesen. Die aktuelle Version 1.11 beseitigt diese Lücken. --------------------------------------------- https://www.heise.de/-4052040 ∗∗∗ WhatsApp wird nicht kostenpflichtig ∗∗∗ --------------------------------------------- Aktuell kursiert auf WhatsApp die Nachricht, dass der Messenger-Dienst in Zukunft kostenpflichtig werde. Die angeblichen Kosten dafür können Nutzer/innen vermeiden, wenn sie den Hinweis darüber an zehn ihrer Kontakte weiterleiten. Diese Behauptungen sind falsch, denn bei dem Schreiben handelt es sich um einen erfundenen Kettenbrief. Er kann bedenkenlos gelöscht werden. --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-wird-nicht-kostenpflichtig/ ===================== = Vulnerabilities = ===================== ∗∗∗ Medtronic NVision Clinician Programmer ∗∗∗ --------------------------------------------- This medical advisory includes mitigations for a missing encryption of sensitive data vulnerability in Medtronics NVision Clinician Programmer. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-137-01 ∗∗∗ GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper input validation vulnerability in the GE PACSystems CPE305/310, CPE330, CPE400, RSTi-EP CPE 100, CPU320/CRU320, RXi industrial Internet controllers. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-137-01 ∗∗∗ PHOENIX CONTACT FL SWITCH 3xxx/4xxx/48xx Series ∗∗∗ --------------------------------------------- This advisory includes mitigations for command injection, information exposure, and stack-based buffer overflow vulnerabilities in the PHOENIX CONTACT FL SWITCH 3xxx/4xxx/48xx Series. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-137-02 ∗∗∗ Delta Electronics Delta Industrial Automation TPEditor ∗∗∗ --------------------------------------------- This advisory includes mitigations for a heap-based buffer overflow vulnerability in the Delta Electronics Delta Industrial Automation TPEditor. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-137-04 ∗∗∗ Client for Open Enterprise Server 2 SP4 (IR8a) ∗∗∗ --------------------------------------------- Abstract: This is interim release (IR8a) of Client for Open Enterprise Server 2 SP4 (formerly "Novell Client 2 SP4 for Windows"). It includes fixes for problems found after Client for Open Enterprise Server 2 SP4 was released. It also includes support for Microsoft Windows Server 2016. --------------------------------------------- https://download.novell.com/Download?buildid=wdhtRhxCLdg~ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (curl and zathura-pdf-mupdf), Debian (libmad and vlc), openSUSE (enigmail), Red Hat (collectd, Red Hat OpenStack Platform director, and sensu), and SUSE (firefox, ghostscript, and mysql). --------------------------------------------- https://lwn.net/Articles/754854/ ∗∗∗ Red Hat JBoss Enterprise Application Platform: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-0955/ ∗∗∗ IBM Security Bulletin: IBM StoredIQ is affected by a privilege escalation vulnerability ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016465 ∗∗∗ IBM Security Bulletin: IBM BigFix Platform is affected by multiple vulnerabities (CVE-2017-3735, CVE-2017-1000100, CVE-2017-1000254) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011879 Next End-of-Day report: 2018-05-22 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2018
by Daily end-of-shift report 17 May '18

17 May '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-05-2018 18:00 − Donnerstag 17-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Oh, great, now theres a SECOND remote Rowhammer exploit ∗∗∗ --------------------------------------------- Send enough crafted packets to a NIC to put nasties into RAM, then the fun really starts Hard on the heels of the first network-based Rowhammer attack, some of the boffins involved in discovering Meltdown/Spectre have shown off their own technique for flipping bits using network requests. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/05/17/nethammer_s… ∗∗∗ The Rowhammer: the Evolution of a Dangerous Attack ∗∗∗ --------------------------------------------- The Rowhammer Attack Back in 2015, security researchers at Google's Project Zero team demonstrated how to hijack an Intel-compatible PCs running Linux by exploiting the physical weaknesses in certain varieties of DDR DRAM (double data rate dynamic random-access memory) chips. The attack technique devised by the experts was dubbed "Rowhammer" [...] --------------------------------------------- http://resources.infosecinstitute.com/rowhammer-evolution-dangerous-attack-… ∗∗∗ TeleGrab - Grizzly Attacks on Secure Messaging ∗∗∗ --------------------------------------------- This post was written by Vitor Ventura with contributions from Azim KhodjibaevIntroductionOver the past month and a half, Talos has seen the emergence of a malware that collects cache and key files from end-to-end encrypted instant messaging service Telegram. This malware was first seen on April 4, 2018, with a second variant emerging on April 10. --------------------------------------------- https://blog.talosintelligence.com/2018/05/telegrab.html ∗∗∗ Mahnungen über 479,16 Euro der DEBTSOLUTIONS LTD ignorieren! ∗∗∗ --------------------------------------------- Betroffene Internetnutzer/innen finden eine angebliche letzte Zahlungsaufforderung vor einem Mahnverfahren von der Debtsolutions LTD in Ihrem Posteingang. Als Begründung wird genannt, dass eine betrügerische Rechnung der MOVIES DARLING LTD nicht bezahlt wurde. Aus diesem Grund sollen die Empfänger/innen 479,16 Euro an die Debtsolutions LTD überweisen. Doch Vorsicht! Auch dieses Schreiben ist betrügerisch und der Geldbetrag sollte auf keinen Fall bezahlt werden. --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-ueber-47916-euro-der-debts… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Cisco vergisst mal wieder Standard-Passwort in Netzwerk-Software ∗∗∗ --------------------------------------------- Cisco hat wichtige Patches veröffentlicht und stopft damit Sicherheitslücken in seinem Produktportfolio. Drei Lücken gelten als äußerst kritisch. --------------------------------------------- https://www.heise.de/meldung/Sicherheitsupdates-Cisco-vergisst-mal-wieder-S… ∗∗∗ SECURITY BULLETIN: Trend Micro Endpoint Application Control FileDrop Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Trend Micro has released a new critical patch (CP) for Trend Micro Endpoint Application Control 2.0 SP1. This CP resolves a FileDrop directory traversal remote code execution (RCE) vulnerability. --------------------------------------------- https://success.trendmicro.com/solution/1119811 ∗∗∗ [R1] Industrial Security 1.1.0 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- Industrial Security leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2018-06 ∗∗∗ [R1] Nessus Network Monitor 5.5.0 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- Nessus Network Monitor leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2018-07 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (runc), Debian (curl), Fedora (xdg-utils), Mageia (firefox), openSUSE (libreoffice, librsvg, and php5), Slackware (curl and php), SUSE (curl, firefox, kernel, kvm, libapr1, libvorbis, and memcached), and Ubuntu (curl, dpdk, php5, and qemu). --------------------------------------------- https://lwn.net/Articles/754773/ ∗∗∗ Vuln: Symantec IntelligenceCenter CVE-2017-18268 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/104164 ∗∗∗ Vuln: Symantec SSLV CVE-2017-15533 Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/104163 ∗∗∗ 2018-05-15: Vulnerability in Welcome IP-Gateway - Command Injection, Missing Session Management, Clear Text Passwords in Cookies ∗∗∗ --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=ABB-VU-EPBP-R-2505&L… ∗∗∗ FortiWeb Recursive URL Decoding is not enabled by default ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-18-058 ∗∗∗ FortiOS SSL Deep-Inspection badssl.com Compliance ∗∗∗ --------------------------------------------- https://fortiguard.com/psirt/FG-IR-17-160 ∗∗∗ IBM Security Bulletin: Vulnerabilities in Linux Kernel affect Intel® Manycore Platform Software Stack (Intel® MPSS) for Linux and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099805 ∗∗∗ IBM Security Bulletin: Vulnerabilities in cURL/libcurl affect Intel® Manycore Platform Software Stack (Intel® MPSS) for Linux and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099804 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities within Jackson JSON library affect IBM Business Automation Workflow (CVE-2017-17485, CVE-2018-5968, CVE-2018-7489) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015305 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java JRE affect IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016198 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities GSKit bundled with IBM HTTP Server ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015347 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22016159 ∗∗∗ IBM Security Bulletin: A Vulnerability in IBM Java Runtime Affects Optim Data Growth, Test Data Management and Application Retirement ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014553 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016029 ∗∗∗ IBM Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise edition are affected by James Clark Expat Vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000380 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2018
by Daily end-of-shift report 16 May '18

16 May '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-05-2018 18:00 − Mittwoch 16-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Shadowy Hackers Accidentally Reveal Two Zero-Days to Security Researchers ∗∗∗ --------------------------------------------- An unidentified hacker group appears to have accidentally exposed two fully-working zero-days when theyve uploaded a weaponized PDF file to a public malware scanning engine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shadowy-hackers-accidentally… ∗∗∗ UPnP joins the just turn it off on consumer devices, already club ∗∗∗ --------------------------------------------- Before it amplifies DDoS attacks Universal Plug n Play, that eternal feast of the black-hat, has been identified as helping to amplify denial-of-service attacks. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/05/16/upnp_amplif… ∗∗∗ CPU-Lücke Spectre V2: Microcode-Updates jetzt unter Windows 10 1803, unter Linux lückenhaft ∗∗∗ --------------------------------------------- Microcode-Updates für Intel-Prozessoren, die unter Windows zum Schutz vor der Sicherheitslücke Spectre V2 nötig sind, kommen nun auch per Windows Update für aktuelle Installationen; bei Linux gibt es aber noch Probleme. --------------------------------------------- https://www.heise.de/-4050379 ===================== = Vulnerabilities = ===================== ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- This advisory includes mitigations for numerous vulnerabilities in Advantechs WebAccess products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-135-01 ∗∗∗ Red Hat Addresses DHCP Client Vulnerability ∗∗∗ --------------------------------------------- Original release date: May 16, 2018 Red Hat has released security updates to address a vulnerability in its Dynamic Host Configuration Protocol (DHCP) client packages for Red Hat Enterprise Linux 6 and 7. An attacker could exploit this vulnerability to take control of an affected system. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/05/16/Red-Hat-Addresses-… ∗∗∗ XXE & XSS vulnerabilities in RSA Authentication Manager ∗∗∗ --------------------------------------------- RSA Authentication Manager is affected by several security vulnerabilities which can be exploited by an attacker to read arbitrary files, cause denial of service or attack other users of the web application with JavaScript code, browser exploits or Trojan horses. --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/xxe-xss-vulnerabilities-in-r… ∗∗∗ CVE-2018-8176 | Microsoft PowerPoint Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Affected Products: Microsoft Office 2016 for Mac Microsoft recommends that customers running Microsoft Office 2016 for Mac install the update to be protected from this vulnerability. --------------------------------------------- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (dhcp), Debian (xen), Fedora (dhcp, flac, kubernetes, leptonica, libgxps, LibRaw, matrix-synapse, mingw-LibRaw, mysql-mmm, patch, seamonkey, webkitgtk4, and xen), Mageia (389-ds-base, exempi, golang, graphite2, libpam4j, libraw, libsndfile, libtiff, perl, quassel, spring-ldap, util-linux, and wget), Oracle (dhcp and kernel), Red Hat (389-ds-base, chromium-browser, dhcp, docker-latest, firefox, kernel-alt, libvirt, qemu-kvm, redhat-vertualization-host, [...] --------------------------------------------- https://lwn.net/Articles/754653/ ∗∗∗ ZDI-18-468: (0Day) Delta Industrial Automation TPEditor TPE File Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-18-468/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015806 ∗∗∗ IBM Security Bulletin: Vulnerabilities in IBM GSKit and IBM GSKit-Crypto affect IBM Performance Management products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016091 ∗∗∗ IBM Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2017-15698, CVE-2017-15706, CVE-2018-1304, CVE-2018-1305) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015795 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) – IBM Java SDK updates Jan 2018 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015927 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Algo Credit Manager ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015591 ∗∗∗ IBM Security Bulletin: Vulnerabilities in libxml2 affect Intel® Manycore Platform Software Stack (Intel® MPSS) for Linux and Windows (CVE-2017-16931, CVE-2017-16932) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099803 ∗∗∗ IBM Security Bulletin: IBM API Connect is affected by an OPENSSL vulnerability (CVE-2017-3735) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015811 ∗∗∗ [R1] Nessus 7.1.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-05 ∗∗∗ Oracle Java SE vulnerability CVE-2018-2799 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33924005 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2018
by Daily end-of-shift report 15 May '18

15 May '18

===================== = End-of-Day report = ===================== Timeframe: Montag 14-05-2018 18:00 − Dienstag 15-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Containers are here. What about container security? ∗∗∗ --------------------------------------------- The industry is gaga for container technologies like Docker and for good reason. According to ESG research, containers make up about 19 percent of hybrid cloud production workloads today, but in just two years’ time, containers will make up one-third of hybrid cloud production workloads. (Note: I am an ESG employee.) Container security issuesNot surprisingly, cybersecurity professionals say rapid growth and proliferation of application containers have led to several security issues:35 --------------------------------------------- https://www.csoonline.com/article/3273347/security/containers-are-here-what… ∗∗∗ IDG Contributor Network: Fact vs. fiction: 6 myths about container security ∗∗∗ --------------------------------------------- DevOps, containers and microservices are eating software development just as software is eating the world. But with the explosive growth of these technologies and methodologies, it’s becoming increasingly difficult to separate fact from fiction. This is particularly the case when talking container security. In this article, we take a look specifically at the myths surrounding container security [...] --------------------------------------------- https://www.csoonline.com/article/3272830/containers/fact-vs-fiction-6-myth… ∗∗∗ Code-Injection: Sicherheitslücke in Signals Desktop-Client ∗∗∗ --------------------------------------------- Eine Code-Injection-Lücke in Signals Desktop-Client ermöglicht es, aus der Ferne JavaScript auszuführen. Ein Update für die Electron-App steht bereit. (Signal, Sicherheitslücke) --------------------------------------------- https://www.golem.de/news/code-injection-sicherheitsluecke-in-signals-deskt… ∗∗∗ Warnung vor CryptoCode ∗∗∗ --------------------------------------------- Konsument/innen erhalten eine E-Mail von Bitcoin Austria. Bei dem Schreiben handelt es sich um Werbung für CryptoCode. Ein Link in der Nachricht führt auf cryptocode.online. Auf der Plattform sollen Besucher/innen Geld einzahlen, damit sie jeden Tag "$15.000" verdienen können. Das einbezahlte Geld ist verloren, denn eine Gewinnausschüttung gibt es nicht. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-cryptocode/ ∗∗∗ NIS Update ∗∗∗ --------------------------------------------- Am 9. Mai hätte Österreich die NIS-Direktive umgesetzt haben sollen. Das haben wir verpasst. Wir haben noch immer kein NIS-Gesetz, und leider auch noch keinen Entwurf dazu in Begutachtung. Aber: ein Teil der NIS-Thematik (Anbieter digitaler Dienste) fällt unter die Vollharmonisierung und wird daher direkt aus Brüssel heraus gültig. Die entsprechende Verordnung wurde im Jänner veröffentlicht und ist seit 10. Mai in Kraft. Will man wissen, [...] --------------------------------------------- http://www.cert.at/services/blog/20180515161108-2242.html ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-914382 (Last Update: 2018-05-15): Denial-of-Service Vulnerability in SIMATIC S7-400 ∗∗∗ --------------------------------------------- SIMATIC S7-400 CPUs are affected by a security vulnerability which could lead to a Denial-of-Service condition of the PLC if specially crafted packets are received and processed.The affected SIMATIC S7-400 CPU hardware versions are in the product cancellation phase or already phased-out. Siemens recommends customers either upgrading to a new version or implementing specific countermeasures. --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-914382.pdf ∗∗∗ VMSA-2018-0011 ∗∗∗ --------------------------------------------- Unauthenticated Command Injection vulnerability in VMware NSX SD-WAN by VeloCloud --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0011.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (firefox, llpp, and webkit2gtk), Debian (kwallet-pam), Fedora (kernel and pam-kwallet), Gentoo (mpv), Oracle (389-ds-base, firefox, libvirt, and qemu-kvm), and Ubuntu (php5 and php5, php7.0, php7.1, php7.2). --------------------------------------------- https://lwn.net/Articles/754495/ ∗∗∗ BlackBerry powered by Android Security Bulletin - May 2018 ∗∗∗ --------------------------------------------- http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber… ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-0922/ ∗∗∗ IBM Security Bulletin: API Connect Developer Portal is affected by a Drupal vulnerability (CVE-2018-7602) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015829 ∗∗∗ IBM Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale with CES stack enabled that could allow sensitive data to be included with service snaps. This data could be sent to IBM during service engagements (CVE-2018-1512) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1012325 ∗∗∗ IBM Security Bulletin: A vulnerability affects the IBM FlashSystem model V840 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=ssg1S1012281 ∗∗∗ IBM Security Bulletin: A vulnerability affects the IBM FlashSystem models 840 and 900 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012280 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect the IBM FlashSystem model V840 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012283 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect the IBM FlashSystem models 840 and 900 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012282 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012263 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015254 ∗∗∗ IBM Security Bulletin: IBM Data Risk Manager has released VM v2.0.1 in response to the vulnerability known as Spectre. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013157 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016207 ∗∗∗ Linux kernel vulnerability CVE-2018-8897 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17403481 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2018
by Daily end-of-shift report 14 May '18

14 May '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-05-2018 18:00 − Montag 14-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ #efail #fail ∗∗∗ --------------------------------------------- Aktuell gehen Berichte um (Twitter, ars technica, EFF, ...), die vor einem Sicherheitsproblem mit verschlüsselten Mails berichten. Die EFF geht soweit, eine Deinstallation diverser Tools zu empfehlen. Während ich diesen Blogpost schreibe, gingen die Researcher mit ihren Ergebnissen online: https://efail.de/ Yay! Eine Vuln mit coolem Namen und Logo. Hier die wichtigsten Punkte: Das Problem ist nicht die Verschlüsselung, sondern liegt im automatischen [...] --------------------------------------------- http://www.cert.at/services/blog/20180514123156-2221.html ∗∗∗ Mit Electron entwickelte Cross-Plattform-Apps angreifbar ∗∗∗ --------------------------------------------- Cross-Plattform Desktop-Apps, die mit dem Electron Framework erstellt werden, können eine gefährliche Sicherheitslücke aufweisen, durch die ein Cross-Site Scripting Angriff auf sie denkbar ist. Das Electron-Team stellt ein Update zur Verfügung. --------------------------------------------- https://www.heise.de/-4048915 ∗∗∗ Some notes on eFail ∗∗∗ --------------------------------------------- Ive been busy trying to replicate the "eFail" PGP/SMIME bug. I thought Id write up some notes.PGP and S/MIME encrypt emails, so that eavesdroppers cant read them. The bugs potentially allow eavesdroppers to take the encrypted emails theyve captured and resend them to you, reformatted in a way that allows them to decrypt the messages. Disable remote/external content in email The most important defense is to disable "external" or "remote" content from being [...] --------------------------------------------- https://blog.erratasec.com/2018/05/some-notes-on-efail.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Acrobat and Reader (APSB18-09) and AdobePhotoshop CC (APSB18-17). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1553 ∗∗∗ Rockwell Automation FactoryTalk Activation Manager ∗∗∗ --------------------------------------------- This advisory was posted originally to the HSIN ICS-CERT library on April 12, 2018, and is being released to the NCCIC/ICS-CERT website. This advisory contains mitigations for cross-site scripting, and improper restriction of operations within the bounds of a memory buffer vulnerabilities in Rockwell Automation's FactoryTalk Activation Manager products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-102-02 ∗∗∗ Arbitrary File Upload & Cross-site scripting in MyBiz MyProcureNet ∗∗∗ --------------------------------------------- MyBiz MyProcureNet is affected by a critical arbitrary file upload vulnerability allowing an attacker to compromise the server by uploading a web shell for issuing OS commands. Furthermore it is affected by cross site scripting issues. --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/arbitrary-file-upload-cross-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff and tiff3), Fedora (glusterfs, kernel, libgxps, LibRaw, postgresql, seamonkey, webkit2gtk3, wget, and xen), Mageia (afflib, flash-player-plugin, imagemagick, qpdf, and transmission), openSUSE (Chromium, opencv, and xen), SUSE (kernel), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/754430/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2018
by Daily end-of-shift report 11 May '18

11 May '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-05-2018 18:00 − Freitag 11-05-2018 18:00 Handler: Stefan Lenzhofer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Upcoming Security Updates for Adobe Acrobat and Reader (APSB18-09) ∗∗∗ --------------------------------------------- A prenotification Security Advisory (APSB18-09) has been posted regarding upcoming Adobe Acrobat and Reader updates scheduled for Monday, May 14, 2018. We will continue to provide updates on the upcoming release via the Security Advisory as well as the Adobe … Continue [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1553 ∗∗∗ Researchers Come Up With a Way to Launch Rowhammer Attacks via Network Packets ∗∗∗ --------------------------------------------- Five academics from the Vrije University in Amsterdam and one from the University of Cyprus have discovered a way for launching Rowhammer attacks via network packets and network cards. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-come-up-with-a-w… ∗∗∗ Lücke in Windows, Linux, macOS: Entwickler missverstehen Intel-Dokumentation ∗∗∗ --------------------------------------------- Weil ihre Entwickler die Dokumentation einer CPU-Funktion missverstanden haben, sind nun fast alle Betriebssysteme anfällig für Manipulationen des Kernel-Speichers. Updates für die Lücke wurden bereits verteilt. --------------------------------------------- https://www.heise.de/security/meldung/Luecke-in-Windows-Linux-macOS-Entwick… ∗∗∗ ATM attacks: How hackers are going for gold ∗∗∗ --------------------------------------------- Imagine winning the lottery and having an ATM spit huge amounts of cash at you. That's exactly what some cyber criminals are after. They're targeting ATMs and launching "jackpotting" attacks, forcing them to dispense bills like a winning slot machine. --------------------------------------------- https://www.helpnetsecurity.com/2018/05/11/atm-attacks/ ∗∗∗ Sicherheitslücke bei "Signal"-App für Mac ∗∗∗ --------------------------------------------- Nachrichten, die verschwinden sollen, leben in der Benachrichtigungsleiste weiter --------------------------------------------- http://derstandard.at/2000079519326 ∗∗∗ One year later: EternalBlue exploit more popular now than during WannaCryptor outbreak ∗∗∗ --------------------------------------------- The infamous outbreak may no longer be causing mayhem worldwide but the threat that enabled it is still very much alive and posing a major threat to unpatched and unprotected systems --------------------------------------------- https://www.welivesecurity.com/2018/05/10/one-year-later-eternalblue-exploi… ∗∗∗ LG patches RCE bug in smartphone keyboards ∗∗∗ --------------------------------------------- LG on Monday released a security update fixing a high-severity remote code execution vulnerability found in the default keyboards of all its mainstream smartphone models. --------------------------------------------- https://www.scmagazineuk.com/news/lg-patches-rce-bug-in-smartphone-keyboard… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (freetype2, libraw, and powerdns), CentOS (389-ds-base and kernel), Debian (php5, prosody, and wavpack), Fedora (ckeditor, fftw, flac, knot-resolver, patch, perl, and perl-Dancer2), Mageia (cups, flac, graphicsmagick, libcdio, libid3tag, and nextcloud), openSUSE (apache2), Oracle (389-ds-base and kernel), Red Hat (389-ds-base and flash-plugin), Scientific Linux (389-ds-base), Slackware (firefox and wget), SUSE (xen), and Ubuntu (wget). --------------------------------------------- https://lwn.net/Articles/754145/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (libmupdf, mupdf, mupdf-gl, and mupdf-tools), Debian (firebird2.5, firefox-esr, and wget), Fedora (ckeditor, drupal7, firefox, kubernetes, papi, perl-Dancer2, and quassel), openSUSE (cairo, firefox, ImageMagick, libapr1, nodejs6, php7, and tiff), Red Hat (qemu-kvm-rhev), Slackware (mariadb), SUSE (xen), and Ubuntu (openjdk-8). --------------------------------------------- https://lwn.net/Articles/754257/ ∗∗∗ Oracle Java SE vulnerability CVE-2018-2783 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44923228 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2018
by Daily end-of-shift report 09 May '18

09 May '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-05-2018 18:00 − Mittwoch 09-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ "Hide and Seek" Becomes First IoT Botnet Capable of Surviving Device Reboots ∗∗∗ --------------------------------------------- Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-… ∗∗∗ PoC Developed for CoinHive Mining In Excel Using Custom JavaScript Functions ∗∗∗ --------------------------------------------- Within days of Microsoft announcing that they are introducing custom JavaScript equations in Excel, a security researcher has developed a way to use this method to load the CoinHive in-browser JavaScript miner within Excel. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-developed-for-coinhive-m… ∗∗∗ Call for speakers One Conference ∗∗∗ --------------------------------------------- The international One Conference 2018 will take place on October 2 & 3 in The Hague. Overall theme of this edition is "Merging Worlds – Securing the connected future". --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/call-for-speakers-one-confe… ∗∗∗ Nice Phishing Sample Delivering Trickbot, (Wed, May 9th) ∗∗∗ --------------------------------------------- Users have to deal with phishing for a very long time. Today, most of them remain dumb messages quickly redacted with a simple attached file and a message like "Click on me, its urgent!". Yesterday, I put my hands on a very nice sample that deserve to be dissected to demonstrate that phishing campaigns remain an excellent way to infect a computer! --------------------------------------------- https://isc.sans.edu/diary/rss/23641 ∗∗∗ Massive localstorage[.]tk Drupal Infection ∗∗∗ --------------------------------------------- After a series of critical Drupal vulnerabilities disclosed this spring, it’s not surprising to see a surge of massive Drupal infections like this one: [...] --------------------------------------------- https://blog.sucuri.net/2018/05/massive-localstorage-tk-drupal-infection.ht… ∗∗∗ Its 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V ∗∗∗ --------------------------------------------- Scores of bugs, from Edge and Office to kernel code to Adobe Flash, need fixing ASAP Patch Tuesday Microsoft and Adobe have patched a bunch of security bugs in their products that can be exploited by hackers to commandeer vulnerable computers, siphon peoples personal information, and so on. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/05/09/microsoft_w… ∗∗∗ Introducing Orchestrator decryption tool ∗∗∗ --------------------------------------------- Researched and written by Donny Maasland and Rindert Kramer Introduction During penetration tests we sometimes encounter servers running software that use sensitive information as part of the underlying process, such as Microsoft’s System Center Orchestrator. According to Microsoft, Orchestrator is a workflow management solution for data centers and can be used to automate the creation, [...] --------------------------------------------- https://blog.fox-it.com/2018/05/09/introducing-orchestrator-decryption-tool/ ∗∗∗ Netzwerkfähige Medizinprodukte besser schützen ∗∗∗ --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/sicherheits… ∗∗∗ Gandcrab Ransomware Walks its Way onto Compromised Sites ∗∗∗ --------------------------------------------- This blog post authored by Nick Biasini with contributions from Nick Lister and Christopher Marczewski.Despite the recent decline in the prevalence of ransomware in the threat landscape, Cisco Talos has been monitoring the now widely distributed ransomware called Gandcrab. Gandcrab uses both traditional spam campaigns, as well as multiple exploit kits, including Rig and Grandsoft. --------------------------------------------- https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html ∗∗∗ Google CTF 2018 is here ∗∗∗ --------------------------------------------- https://security.googleblog.com/2018/05/google-ctf-2018-is-here.html ∗∗∗ Gefälschte Mobilis GmbH-Bestellung verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte Bestellung der Mobilis GmbH. In dem geschäftlichen Schreiben fordern sie von Unternehmen, dass diese den Dateianhang für weiterführende Informationen zum Einkauf öffnen. In Wahrheit verbirgt er Schadsoftware. Aus diesem Grund ist es wichtig, dass Empfänger/in die vermeintliche Bestellung nicht öffnen und die Nachricht in ihren Spam-Ordner verschieben. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-mobilis-gmbh-bestellung-… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2018-8897 ∗∗∗ --------------------------------------------- Aktuell gehen Medienberichte über einen Bug im Umgang von Betriebssystemen mit Intel und AMD CPUs umher, dazu hatten wir die ersten Rückfragen bezüglich der Kritikalität. Wir sehen das nicht tragisch: der Bug ist nach momentanem Wissensstand weder remote noch via JavaScript etc. ausnutzbar, und daher "nur" eine klassische Privilege Escalation. --------------------------------------------- http://www.cert.at/services/blog/20180509142228-2199.html ∗∗∗ Silex Technology SX-500/SD-320AN or GE Healthcare MobileLink ∗∗∗ --------------------------------------------- This medical advisory includes mitigations for improper authentication and OS command injection vulnerabilities in Silex Technology SX-500, SD-320AN, and GE Healthcare MobileLink devices. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-128-01 ∗∗∗ Siemens Medium Voltage SINAMICS Products ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper input validation vulnerabilities in Siemens SINAMICS modular drive systems. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-128-01 ∗∗∗ Siemens Siveillance VMS ∗∗∗ --------------------------------------------- This advisory includes mitigations for a deserialization of untrusted data vulnerability in the Siemens Siveillance Video Management Software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-128-02 ∗∗∗ Siemens Siveillance VMS Video Mobile App ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper certificate validation vulnerability in the Siemens Siveillance VMS mobile app. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-128-03 ∗∗∗ May 2018 Office Update Release ∗∗∗ --------------------------------------------- The May 2018 Public Update releases for Office are now available! This month, there are 30 security updates and 22 non-security updates. All of the security and non-security updates are listed in KB article 4133083. --------------------------------------------- https://blogs.technet.microsoft.com/office_sustained_engineering/2018/05/08… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Gentoo (rsync), openSUSE (Chromium), Oracle (kernel), Red Hat (kernel and kernel-rt), Scientific Linux (kernel), SUSE (kernel and php7), and Ubuntu (dpdk, libraw, linux, linux-lts-trusty, linux-snapdragon, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/754021/ ∗∗∗ Security Update Summary ∗∗∗ --------------------------------------------- https://portal.msrc.microsoft.com/en-us/security-guidance/summary ∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Some Smart Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180509-… ∗∗∗ Security Advisory - Authentication Bypass Vulnerability in Huawei iBMC Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180509-… ∗∗∗ [R1] OpenSSL Stand-alone Patch Available for SecurityCenter versions 5.0 or Later ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-04 ∗∗∗ Oracle Java SE vulnerability CVE-2018-2811 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01294982 ∗∗∗ Oracle Java SE vulnerability CVE-2018-2796 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71021401 ∗∗∗ Oracle Java SE vulnerability CVE-2018-2798 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24593421 Next End-of-Day report: 2018-05-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2018
by Daily end-of-shift report 08 May '18

08 May '18

===================== = End-of-Day report = ===================== Timeframe: Montag 07-05-2018 18:00 − Dienstag 08-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Office 365 Zero-Day Used in Real-World Phishing Campaigns ∗∗∗ --------------------------------------------- A new email attack known as baseStriker allows miscreants to send malicious emails that bypass security systems on Office 365 accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/office-365-zero-day-used-in-… ∗∗∗ Don’t Share Email with Scripts and Macros ∗∗∗ --------------------------------------------- Sharing documents scripts and macros over email is a habit you want to break, says Broderick Aquilino, Senior Researcher at F-Secure. "Both scripts and macros are commonly used attack vectors," he told us. "Users practicing this increase their risk because it becomes harder for them to distinguish something malicious from what they are receiving day [...] --------------------------------------------- https://safeandsavvy.f-secure.com/2018/05/08/dont-share-email-with-scripts-… ∗∗∗ How to Protect Your Web Applications From XXE Attacks ∗∗∗ --------------------------------------------- XML External Entities (XXE) Attacks are now the 4th greatest risk to web applications as per OWAPS Top 10. --------------------------------------------- https://www.htbridge.com/blog/how-to-protect-your-web-applications-from-xxe… ∗∗∗ Maikspy Spyware Poses as Adult Game, Targets Windows and Android Users ∗∗∗ --------------------------------------------- We discovered a malware family called Maikspy - a multi-platform spyware that can steal users' private data. The spyware targets Windows and Android users, and first posed as an adult game named after a popular U.S.-based adult film actress. Maikspy, which is an alias that combines the name of the adult film actress and spyware, has been around since 2016. Multiple Twitter handles were found promoting the Maikspy-carrying adult games and sharing the malicious domain via short links. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/maikspy-spyware… ∗∗∗ Drupal-Lücken: Lenovo versäumt Webseiten-Update und fängt sich Krypto-Miner ein ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher warnt, dass Angreifer gegenwärtig ungepatchte Drupal-Webseiten attackieren, um dort einen Kryptogeld-Miner zu platzieren. Sicherheitsupdates sind schon länger verfügbar. --------------------------------------------- https://www.heise.de/-4044683 ∗∗∗ Mobile Menace Monday: re-emergence of a fake Android AV ∗∗∗ --------------------------------------------- Way back in early 2013, a new antivirus (AV) company emerged into the mobile security software industry that had everyone perplexed. It seemed like a fake Android AV, but received certification by a reputable AV testing organization! Now, five years later, its back. Heres why you shouldnt trust it. --------------------------------------------- https://blog.malwarebytes.com/malwarebytes-news/2018/05/mobile-menace-monda… ∗∗∗ 8 Tips to Harden Your Joomla Installation ∗∗∗ --------------------------------------------- Joomla arrived on the scene in 2005 as a fork of the Mambo content management system (CMS). Downloaded over 91 million times, it has since eclipsed Mambo to become a ubiquitous platform for websites of all sizes. According to last year's Hacked Website Report from Sucuri, which used insights from over 36,000 compromised sites, Joomla [...] --------------------------------------------- https://www.tripwire.com/state-of-security/featured/8-tips-harden-joomla-in… ∗∗∗ Hacking train passenger Wi-Fi ∗∗∗ --------------------------------------------- After speaking about Wi-Fi security at a rail industry conference last week, it struck me that very insecure passenger networks are making their way on to trains. So, here's a quick check list for making sure your pax Wi-Fi network is secure. Similar checks could be applied to your guest network in your office, Wi-Fi [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/hacking-train-passenger-wi-fi/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Creative Cloud Desktop Application (APSB18-12), Adobe Flash Player (APSB18-16), and Adobe Connect (APSB18-18). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin. --------------------------------------------- https://blogs.adobe.com/psirt/?p=1557 ∗∗∗ iPrint Appliance 2.1 Patch 7 ∗∗∗ --------------------------------------------- Abstract: iPrint Appliance 2.1 Patch 7 is a cumulative patch including fixes from all the previous 2.1 patches and hot fixes. Document ID: 5377430Security Alert: YesDistribution Type: PublicEntitlement Required: YesFiles:iPrint-2.1.0.87.HP.zip (950.24 MB)Products:iPrint Appliance 2.1Superceded Patches:iPrint Appliance 2.1 --------------------------------------------- https://download.novell.com/Download?buildid=uKzGH3eCxf0~ ∗∗∗ SAP Security Patch Day - May 2018 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape. --------------------------------------------- https://blogs.sap.com/2018/05/08/sap-security-patch-day-may-2018/ ∗∗∗ Android Security Bulletin - May 2018 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2018-05-05 or later address all of these issues. To learn how to check a devices security patch level, see Check & update your Android version. --------------------------------------------- https://source.android.com/security/bulletin/2018-05-01 ∗∗∗ USN-3639-1: LibRaw vulnerabilities ∗∗∗ --------------------------------------------- libraw vulnerabilitiesA security issue affects these releases of Ubuntu and its derivatives:Ubuntu 18.04 LTSUbuntu 17.10Ubuntu 16.04 LTSSummarySeveral security issues were fixed in LibRaw.Software Descriptionlibraw - raw image decoder libraryDetailsIt was discovered that LibRaw incorrectly handled certain files.An attacker could possibly use this to execute arbitrary code.(CVE-2018-10528)It was discovered that LibRaw incorrectly handled certain files.An attacker could possibly use this to [...] --------------------------------------------- https://usn.ubuntu.com/3639-1/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (wget), SUSE (patch), and Ubuntu (qpdf). --------------------------------------------- https://lwn.net/Articles/753882/ ∗∗∗ WebKitGTK+ Security Advisory WSA-2018-0004 ∗∗∗ --------------------------------------------- Date Reported: May 07, 2018 Advisory ID: WSA-2018-0004 CVE identifiers: CVE-2018-4121, CVE-2018-4200,CVE-2018-4204. Several vulnerabilities were discovered in WebKitGTK+. CVE-2018-4121 Versions affected: WebKitGTK+ before 2.20.0. Credit to Natalie Silvanovich of Google Project Zero. Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Description: Multiple memory corruptionissues were addressed with improved memory handling. --------------------------------------------- https://webkitgtk.org/security/WSA-2018-0004.html ∗∗∗ IBM Security Bulletin: IBM OpenPages GRC Platform has addressed multiple Apache Tomcat vulnerabilities. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22011364 ∗∗∗ Linux kernel vulnerability CVE-2017-8824 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K15526101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2018
by Daily end-of-shift report 07 May '18

07 May '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-05-2018 18:00 − Montag 07-05-2018 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Drupal Sites Fall Victims to Cryptojacking Campaigns ∗∗∗ --------------------------------------------- After the publication of two severe security flaws in the Drupal CMS, cybercrime groups have turned their sights on this web technology in the hopes of finding new ground to plant malware on servers and make money through illegal cryptocurrency mining. --------------------------------------------- https://www.bleepingcomputer.com/news/security/drupal-sites-fall-victims-to… ∗∗∗ SynAck Ransomware Uses Process Doppelgänging Technique ∗∗∗ --------------------------------------------- A new and improved version of the SynAck ransomware has been spotted online these past days, and security researchers are reporting that the ransomware now uses the Process Doppelgänging technique. --------------------------------------------- https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-proce… ∗∗∗ How to Protect Yourself From GDPR-Related Phishing Scams ∗∗∗ --------------------------------------------- Fourteen emails. That’s the amount of GDPR policy notification emails I’ve received in the past few weeks. The EU’s General Data Protection Regulation (GDPR) compliance deadline is May 25, requiring companies around the world to notify their contacts about data privacy changes under this new rule. --------------------------------------------- http://resources.infosecinstitute.com/protect-gdpr-phishing-scams/ ∗∗∗ Lenovo Patches Arbitrary Code Execution Flaw ∗∗∗ --------------------------------------------- Lenovo warns of a high-severity bug impacting its System x line of servers, along with a medium-severity buffer-overflow vulnerability affecting its popular ThinkPad line. --------------------------------------------- https://threatpost.com/lenovo-patches-arbitrary-code-execution-flaw/131725/ ∗∗∗ Umsetzung NIS-Richtlinie abgeschlossen - neue Pflichten für Anbieter digitaler Dienste ∗∗∗ --------------------------------------------- Im Zuge der Umsetzung der EU-Richtlinie zur Netzwerk- und Informationssicherheit (NIS-Richtlinie) müssen Anbieter von Suchmaschinen, Cloud-Computing-Diensten und Online-Marktplätzen mit Sitz in Deutschland ab 10. Mai 2018 IT-Sicherheitsvorfälle mit erheblichen Auswirkungen auf den betriebenen Dienst an das Bundesamt für Sicherheit in der Informationstechnik (BSI) melden. Gleichzeitig gelten dann europaweit einheitliche Mindestanforderungen [...] --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/NIS-Richtli… ∗∗∗ MassMiner: Kryptogeld-Miner hat es auf Web-Server abgesehen ∗∗∗ --------------------------------------------- Unbekannte Angreifer attackieren Sicherheitsforschern zufolge derzeit gezielt Server mit verwundbaren Versionen von Apache Struts, Oracle WebLogic und Windows SMB. Sicherheitspatches sind schon länger verfügbar. --------------------------------------------- https://heise.de/-4043366 ∗∗∗ Spectre-NG: Intel verschiebt die ersten Patches – koordinierte Veröffentlichung aufgeschoben ∗∗∗ --------------------------------------------- Eigentlich war für Montag die Veröffentlichung der ersten Spectre-NG-Patches geplant. Doch Intel hat um Aufschub gebeten und diesen auch erhalten. Neue, exklusive Informationen zeigen, wie es mit Spectre-NG jetzt weiter gehensoll. --------------------------------------------- https://www.heise.de/-4043790 ∗∗∗ Windows Defender Exploit Guard – Attack Surface Reduction Rules aktivieren ∗∗∗ --------------------------------------------- Mit Windows 10 v1709 hat Microsoft der Defender-Plattform zusätzliche, interessante Features spendiert, die nun mit Win10-Release 1803 um weitere Möglichkeiten ergänzt wurden. So lassen sich zum Beispiel folgende Regeln aktivieren, welche das Risiko einer Malware-Infektion in einigen Szenarien deutlich reduzieren können: [...] --------------------------------------------- https://hitco.at/blog/windows-defender-exploit-guard-attack-surface-reducti… ===================== = Vulnerabilities = ===================== ∗∗∗ Integrated GPUs may allow side-channel and rowhammer attacks using WebGL ("Glitch") ∗∗∗ --------------------------------------------- Some platforms with integrated GPUs, such as smartphones, may allow both side-channel and rowhammer attacks via WebGL, which may allow a remote attacker to compromise the browser on an affected platform. An attack technique that leverages these vulnerabilities is called "GLitch." --------------------------------------------- https://www.kb.cert.org/vuls/id/283803 ∗∗∗ Vulnerability Spotlight: MySQL Multi-Master Manager Remote Command Injection Vulnerability ∗∗∗ --------------------------------------------- Today, Talos is releasing details of a new vulnerability within MySQL Multi-Master Manager. This is used to perform monitoring, failover and management of MySQL master-master replication configurations. By using MySQL MMM (Multi-Master Replication Manager for MySQL) it ensures that only one node is writeable at a time. Using MySQL MMM an end user can also choose to move their Virtual IP addresses to different servers depending on their replication [...] --------------------------------------------- https://blog.talosintelligence.com/2018/05/vulnerability-spotlight-mysql-mm… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl, libmad, lucene-solr, tzdata, and wordpress), Fedora (drupal7, scummvm, scummvm-tools, and zsh), Mageia (boost, ghostscript, gsoap, java-1.8.0-openjdk, links, and php), openSUSE (pam_kwallet), and Slackware (python). --------------------------------------------- https://lwn.net/Articles/753687/ ∗∗∗ Security Update 2018-001 Swift 4.1.1 for Ubuntu 14.04 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT208804 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK Affect IBM Emptoris Strategic Supply Management Suite of Products and IBM Emptoris Services Procurement ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016092 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Libxml2 affect IBM InfoSphere Identity Insight. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015944 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Cognos Analytics ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22016039 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Network Time Protocol (NTP) affect IBM Virtualization Engine TS7700 (CVE-2016-7427, CVE-2016-7428, CVE-2016-9310, CVE-2016-9311) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1011857 ∗∗∗ RSA Authentication Manager Bugs Let Remote Users Inject HTTP Headers and Remote Authenticated Users Conduct XML External Entity Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040835 ∗∗∗ Side-channel processor vulnerability CVE-2018-9056 (BranchScope) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35135935 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2018
by Daily end-of-shift report 04 May '18

04 May '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-05-2018 18:00 − Freitag 04-05-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dateikompression: Bug in 7-Zip 18.01 ermöglicht Codeausführung beim Entpacken ∗∗∗ --------------------------------------------- Ein Bug macht sich uninitialisierten Speicher zunutze, um darüber beliebigen Code beim Entpacken von Dateiarchiven mit 7-Zip auszuführen. Ein Softwareentwickler hat die Lücke entdeckt und zu Demonstrationszwecken ausgenutzt. Statt dem Windows-Taschenrechner könnte darüber auch Schlimmeres ausgeführt werden. --------------------------------------------- https://www.golem.de/news/dateikompression-bug-in-7-zip-18-01-ermoeglicht-c… ∗∗∗ IMHO: Ein Lob für Twitter und Github ∗∗∗ --------------------------------------------- Bei Github wurden Passwörter versehentlich im Klartext gespeichert. Kurze Zeit später meldete Twitter ein ähnliches Problem. Es gibt keinen Hinweis darauf, dass dadurch Nutzer gefährdet wurden. Trotzdem gingen die Firmen damit transparent um - richtig so! --------------------------------------------- https://www.golem.de/news/imho-ein-lob-fuer-twitter-und-github-1805-134232.… ∗∗∗ Rooting a Logitech Harmony Hub: Improving Security in Todays IoT World ∗∗∗ --------------------------------------------- Introduction FireEye’s Mandiant Red Team recently discovered vulnerabilities present on the Logitech Harmony Hub Internet of Things (IoT) device that could potentially be exploited, resulting in root access to the device via SSH. The Harmony Hub is a home control system designed to connect to and control a variety of devices in the user’s .. --------------------------------------------- http://www.fireeye.com/blog/threat-research/2018/05/rooting-logitech-harmon… ∗∗∗ ICS-Systeme von Schneider Electric: Angreifer könnten Fabriken übernehmen ∗∗∗ --------------------------------------------- In den Industrie-Kontrollsystemen InduSoft Web Studio und InTouch Machine Edition von Schneider Electric klaffen kritische Sicherheitslücken. Patches sind verfügbar. --------------------------------------------- https://www.heise.de/meldung/ICS-Systeme-von-Schneider-Electric-Angreifer-k… ∗∗∗ Wie Google mit veralteten und unsicheren Android-Apps aufräumen will ∗∗∗ --------------------------------------------- Entwickler sehen sich künftig mit wesentlich härteren Vorschriften konfrontiert – Umstellung bringt Mehrarbeit --------------------------------------------- http://derstandard.at/2000078894766 ∗∗∗ Google rolls out .app domains with built-in HTTPS ∗∗∗ --------------------------------------------- The move is part of the company’s HTTPS-everywhere vision for the internet .. --------------------------------------------- https://www.welivesecurity.com/2018/05/04/google-rolls-app-domain-built-htt… ===================== = Vulnerabilities = ===================== ∗∗∗ Philips Brilliance Computed Tomography (CT) System ∗∗∗ --------------------------------------------- This medical advisory includes mitigations for execution with unnecessary privileges, exposure of resource to wrong sphere, and use of hard-coded credentials vulnerabilities in Philips Brillance CT Scanners. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-123-01 ∗∗∗ Lantech IDS 2102 ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper input validation and stack-based buffer overflow vulnerabilities in the Lantech IDS 2102 Ethernet device server. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-123-01 ∗∗∗ DSA-4191 redmine - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4191 ∗∗∗ DSA-4189 quassel - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4189 ∗∗∗ Security Advisory 2018-01: Security Update for OTRS Framework ∗∗∗ --------------------------------------------- https://community.otrs.com/security-advisory-2018-01-security-update-for-ot… ∗∗∗ Use of hardcoded credentials for communication between Meru access points and FortiWLC ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-274 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2018
by Daily end-of-shift report 03 May '18

03 May '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-05-2018 18:00 − Donnerstag 03-05-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Notfall-Hotline für von Cybercrime betroffene Unternehmen in Wien ∗∗∗ --------------------------------------------- Anzeigen wegen Cybercrime-Delikten sind im Vorjahr in Österreich um rund 28 Prozent gestiegen. ... Die WK Wien startete deshalb eine Notfall-Hotline für betroffene Unternehmen. --------------------------------------------- http://derstandard.at/2000079106868 ∗∗∗ Threat Roundup for April 20-27 ∗∗∗ --------------------------------------------- Today, Talos is publishing a glimpse into the most prevalent threats weve observed between April 20 and 27. As with previous roundups, this post isnt meant to be an in-depth analysis. Instead, this post will summarize the threats weve observed by highlighting key behavioral characteristics, indicators of compromise... --------------------------------------------- http://blog.talosintelligence.com/2018/04 /threat-round-up-0420-0427.html ∗∗∗ Betrug mit gefälschter Microsoft-Warnung ∗∗∗ --------------------------------------------- Mit einer gefälschten Microsoft-Warnung fordern Kriminelle von Konsument/innen, dass sie telefonisch Kontakt mit einem Support-Center aufnehmen. Es teilt ihnen mit, dass ihr Computer mit Schadsoftware befallen sei. Aus diesem Grund sollen sie ein Programm herunterladen und für die Hilfestellung bezahlen. Kommen die Konsument/innen den Aufforderungen nach, verlieren sie Geld und infizieren ihr Endgerät mit Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news /betrug-mit-gefaelschter-microsoft-warnung/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Releases Security Updates ∗∗∗ --------------------------------------------- Cisco has released updates to address vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. NCCIC encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates: * WebEx Advanced Recording Format Remote Code Execution Vulnerability cisco-sa-20180502-war * Prime File Upload Servlet Path Traversal and Remote Code Execution Vulnerability cisco-sa-20180502-prime-upload * Secure Access Control System Remote Code Execution Vulnerability cisco-sa-20180502-acs1 * Wireless LAN Controller 802.11 Management Frame Denial-of-Service Vulnerability cisco-sa-20180502-wlc-mfdos * Wireless LAN Controller IP Fragment Reassembly Denial-of-Service Vulnerability cisco-sa-20180502-wlc-ip * Meeting Server Remote Code Execution Vulnerability cisco-sa-20180502-cms-cx * Aironet 1810, 1830, and 1850 Series Access Points Point-to-Point Tunneling Protocol Denial-of-Service Vulnerability cisco-sa-20180502-ap-ptp * Aironet 1800, 2800, and 3800 Series Access Points Secure Shell Privilege Escalation Vulnerability cisco-sa-20180502-aironet-ssh --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/05/02 /Cisco-Releases-Security-Updates ∗∗∗ Weitere Spectre-Lücken im Anflug ∗∗∗ --------------------------------------------- Ganze acht neue Sicherheitslücken in Intel-CPUs haben mehrere Forscher-Teams dem Hersteller bereits gemeldet, die aktuell noch geheimgehalten werden. ... Die konkrete Gefahr für Privatleute und Firmen-PCs ist hingegen eher gering, weil es dort in aller Regel andere, einfacher auszunutzende Schwachstellen gibt. Trotzdem sollte man sie ernst nehmen und die anstehenden Spectre-NG-Updates nach deren Erscheinen zügig einspielen. --------------------------------------------- https://heise.de/-4039134 ∗∗∗ Kritische Sicherheitslücke in Oracle Access Manager - Updates verfügbar ∗∗∗ --------------------------------------------- Kritische Sicherheitslücke in Oracle Access Manager - Updates verfügbar 3. Mai 2018 Beschreibung Das IT-Security Consulting Unternehmen SEC-Consult hat eine kritische Sicherheitslücke in der verbreiteten Software Oracle Access Manager (OAM) entdeckt, die in vielen Umgebungen für Single-Sign-On und andere Login-Szenarios verwendet wird. CVE-Nummer: CVE-2018-2879 Auswirkungen Angreifer können sich durch Ausnutzen der Lücke mit beliebigen Accounts (auch --------------------------------------------- http://www.cert.at/warnings/all/20180503.html ∗∗∗ Docker für Windows: Microsoft patcht Go-Bibliothek hcsshim ∗∗∗ --------------------------------------------- Wer Docker zur Containervirtualisierung unter Windows nutzt oder selbst Go-Programme entwickelt, sollte dringend die Aktualität des "Windows Host Compute Service Shim" (hcsshim)-Packages auf seinem System überprüfen. --------------------------------------------- https://heise.de/-4040139 ∗∗∗ SSA-546832 (Last Update: 2018-05-03): Vulnerabilities in Medium Voltage SINAMICS Products ∗∗∗ --------------------------------------------- The latest updates for medium voltage SINAMICS products fix two security vulnerabilities that could allow an attacker to cause a Denial-of-Service condition either via specially crafted PROFINET DCP broadcast packets or by sending specially crafted packets to port 161/udp (SNMP). Precondition for the PROFINET DCP scenario is a direct Layer 2 access to the affected products. PROFIBUS interfaces are not affected. --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-546832.pdf ∗∗∗ SSA-468514 (Last Update: 2018-05-03): Improper Certificate Validation Vulnerability in Siveillance VMS Video Mobile App for Android and iOS ∗∗∗ --------------------------------------------- The latest update for the Siveillance VMS Video mobile app for Android and iOS fixes a security vulnerability that could allow an attacker in a privileged network position to read data from and write data to the encrypted communication channel between the app and a server. Precondition for this scenario is that an attacker is able to intercept the communication channel between the affected app and a server, and is also able to generate a certificate that results for the validation algorithm in --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-468514.pdf ∗∗∗ SSA-457058 (Last Update: 2018-05-03): .NET Security Vulnerability in Siveillance VMS ∗∗∗ --------------------------------------------- Siemens has released software updates for Siveillance VMS which fix a security vulnerability with the .NET Remoting deserialization that could allow elevation of privileges and/or causing a Denial-of-Service, if affected ports are exposed. --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-457058.pdf ∗∗∗ HPESBHF03841 rev.1 - Certain HPE Servers with AMD-based Processors, Multiple Vulnerabilities (Fallout/Masterkey) ∗∗∗ --------------------------------------------- Several HPE servers that use AMD processors are vulnerable to security defects (Fallout/Masterkey) which allow local unauthorized elevation of privilege, unauthorized modification of information, unauthorized disclosure of information, and Denial of Service. --------------------------------------------- https://support.hpe.com/hpsc/doc/public /display?docLocale=en_US&docId=emr_na-hpesbhf03841en_us ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, java-1.8.0-openjdk, librelp, patch, and python-paramiko), Debian (kernel and quassel), Gentoo (chromium, hesiod, and python), openSUSE (corosync, dovecot22, libraw, patch, and squid), Oracle (java-1.7.0-openjdk), Red Hat (go-toolset-7 and go-toolset-7-golang, java-1.7.0-openjdk, and rh-php70-php), and SUSE (corosync and patch). --------------------------------------------- https://lwn.net/Articles/753457/ ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK IBM Rational Software Architect and Rational Software Architect for WebSphere Software. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015990 ∗∗∗ IBM Security Bulletin: Information Disclosure in WebSphere Application Server (CVE-2017-1743) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22013601 ∗∗∗ IBM Security Bulletin: Jnuary 2017 OpenSSL Vulnerabilities affect Multiple N series Products ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012311 ∗∗∗ IBM Security Bulletin: ISC DHCP vulnerability affects TS4500 Tape Library (CVE-2018-5732) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012247 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2018
by Daily end-of-shift report 02 May '18

02 May '18

===================== = End-of-Day report = ===================== Timeframe: Montag 30-04-2018 18:00 − Mittwoch 02-05-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Millionen Autos von Volkswagen und Audi können gehackt werden ∗∗∗ --------------------------------------------- Zwei Sicherheitsforscher haben eine Sicherheitslücke entdeckt, die zahlreiche populäre Fahrzeuge betrifft. --------------------------------------------- https://futurezone.at/digital-life/millionen-autos-von-volkswagen-und-audi-… ∗∗∗ Security baseline for Windows 10 “April 2018 Update” (v1803) – FINAL ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 “April 2018 Update,” also known as version 1803, “Redstone 4,” or RS4. Download the .. --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2018/04/30/security-baseline-f… ∗∗∗ 7-Zip: From Uninitialized Memory to Remote Code Execution ∗∗∗ --------------------------------------------- After my previous post on the 7-Zip bugs CVE-2017-17969 and CVE-2018-5996, I continued to spend time on analyzing antivirus software. As it happens, I found a new bug that (as the last two bugs) .. --------------------------------------------- https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-e… ∗∗∗ Jetzt absichern! Oracle WebLogic Server im Visier von Angreifern ∗∗∗ --------------------------------------------- Sicherheitsforscher beobachten vermehrt Scans nach verwundbaren WebLogic Servern. Updates stehen bereit – Angreifer sollen den Schutz jedoch umgehen können. --------------------------------------------- https://www.heise.de/meldung/Jetzt-absichern-Oracle-WebLogic-Server-im-Visi… ∗∗∗ Windows 10 1803 ohne Microcode-Updates gegen Spectre V2 ∗∗∗ --------------------------------------------- Die Installation des Windows 10 April 2018 Update verdrängt Microcode-Updates für Intel-Prozessoren aus dem Update KB4090007, die vor der Sicherheitslücke Spectre V2 schützen - man braucht also wieder BIOS-Updates. --------------------------------------------- https://www.heise.de/meldung/Windows-10-1803-ohne-Microcode-Updates-gegen-S… ∗∗∗ Spammer missbrauchen ungefilterte Redirects in Google Maps ∗∗∗ --------------------------------------------- Kriminelle nutzen Googles Online-Kartendienst Maps, um Opfer mittels offener Redirects auf gefährliche Irrwege zu führen. Das Unternehmen weiß um das Problem, scheint aber bislang keinen Handlungsbedarf zu sehen. --------------------------------------------- https://www.heise.de/meldung/Spammer-missbrauchen-ungefilterte-Redirects-in… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cups-filters, ghostscript, glusterfs, PackageKit, qpdf, and xen), Mageia (anki, libofx, ming, sox, webkit2, and xdg-user-dirs), Oracle (corosync, java-1.7.0-openjdk, and pcs), Red Hat (java-1.7.0-openjdk), Scientific Linux (corosync, firefox, gcc, glibc, golang, java-1.7.0-openjdk, java-1.8.0-openjdk, .. --------------------------------------------- https://lwn.net/Articles/753257/ ===================== = Vulnerabilities = ===================== ∗∗∗ Bugtraq: CA20180501-01: Security Notice for CA Spectrum ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541977 ∗∗∗ Vuln: PHP CVE-2018-10547 Incomplete Fix Cross Site Scripting Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/104020 ∗∗∗ Security Advisory - Two Vulnerabilities in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171018-… ∗∗∗ Security Advisory - DoS Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171201-… ∗∗∗ IBM Security Bulletin: Vulnerabilities in cURL component shipped with IBM Rational ClearCase (CVE-2018-1000005, CVE-2018-1000007) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014495 ∗∗∗ IBM Security Bulletin: API Connect is affected by an information leakage vulnerability (CVE-2018-1468) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015968 ∗∗∗ IBM SECURITY BULLETIN: Multiple vulnerabilities in IBM Java Runtime affect IBM QRadar SIEM. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015825 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2018
by Daily end-of-shift report 30 Apr '18

30 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-04-2018 18:00 − Montag 30-04-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Issue with BitLocker/DMA setting in Windows 10 “Fall Creators Update” (v1709) ∗∗∗ --------------------------------------------- Update, 27 April 2018: The problem described in this post has been fixed in the April 2018 quality update. Customers that deployed Microsoft’s security baseline for Windows 10 v1709 might have experienced device and component failures. The .. --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlocke… ∗∗∗ FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation ∗∗∗ --------------------------------------------- Our Cyber Safety Solutions team identified a malicious Chrome extension we named FacexWorm, which uses a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and .. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/facexworm-targe… ∗∗∗ Please don’t buy this: smart toys ∗∗∗ --------------------------------------------- Smart toys attempt to offer what a lot of us imagined as kids—a toy that we can not only play with, but one that plays back. Many models offer voice recognition, facial expressions, hundreds of words and phrases, reaction to touch and impact, and even the ability to learn and retain new information. These .. --------------------------------------------- https://blog.malwarebytes.com/security-world/2018/04/please-dont-buy-smart-… ∗∗∗ Bundesheer-Hacker nahmen an Nato-Übung teil ∗∗∗ --------------------------------------------- In Tallinn wurde geprobt, wie Cyberangriffe abgewehrt werden können --------------------------------------------- http://derstandard.at/2000078919316 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4181 roundcube - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4181 ∗∗∗ DSA-4182 chromium-browser - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4182 ∗∗∗ DSA-4186 gunicorn - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4186 ∗∗∗ DSA-4185 openjdk-8 - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4185 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2018
by Daily end-of-shift report 27 Apr '18

27 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-04-2018 18:00 − Freitag 27-04-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PyRoMine Uses NSA Exploit for Monero Mining and Backdoors ∗∗∗ --------------------------------------------- Not just a miner, the malware also sets up a hidden default account with system administrator privileges, to be used for re-infection and further attacks. --------------------------------------------- http://threatpost.com/pyromine-uses-nsa-exploit-for-monero-mining-and-backd… ∗∗∗ Analysis of a Malicious Blackhat SEO Script ∗∗∗ --------------------------------------------- An enormous number of SEO spam infections are handled by us here at Sucuri. In our most recent hacked website trend report, we analyzed over 34,000+ websites and identified that 44% of all website infection cases were misused for SEO spam campaigns. Once a website has been compromised, attackers often use it to distribute malware, host phishing .. --------------------------------------------- https://blog.sucuri.net/2018/04/analysis-of-a-malicious-blackhat-seo-script… ∗∗∗ GravityRAT malware takes your systems temperature ∗∗∗ --------------------------------------------- The GravityRAT malware, discovered by Cisco Talos researchers, gives some interesting insight .. --------------------------------------------- https://www.virusbulletin.com:443/blog/2018/04/gravityrat-malware-takes-you… ∗∗∗ Phishing für Anspruchsvolle: [A]pache-Kit klont beliebte Online-Shops ∗∗∗ --------------------------------------------- Mitarbeiter des Sicherheitssoftware-Herstellers Check Point haben ein brasilianisches Phishing-Kit unter die Lupe genommen, das zum Abgreifen von Adress- und Kreditkartendaten voll funktionsfähige Marken-Shops imitiert. --------------------------------------------- https://www.heise.de/meldung/Phishing-fuer-Anspruchsvolle-A-pache-Kit-klont… ∗∗∗ Achtung vor Datendiebstahl auf Kleinanzeigenportalen! ∗∗∗ --------------------------------------------- Kleinanzeigenportale bieten eine hervorragende Möglichkeit Altes zu Geld zu machen oder das ein oder andere Schnäppchen abzustauben. Die Marktplätze erfreuen sich daher großer Beliebtheit, doch .. --------------------------------------------- http://www.watchlist-internet.at/index.php?id=71&tx_news_pi1[news]=3065&tx_… ===================== = Vulnerabilities = ===================== ∗∗∗ Delta Electronics PMSoft ∗∗∗ --------------------------------------------- This advisory includes mitigations for multiple stack-based overflow vulnerabilities in Delta Electronics PMSoft, a software development tool. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-116-01 ∗∗∗ WordPress plugin "Open Graph for Facebook, Google+ and Twitter Card Tags" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- The WordPress plugin "Open Graph for Facebook, Google+ and Twitter Card Tags" contains a cross-site scripting vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN08386386/ ∗∗∗ WordPress plugin "WP Google Map Plugin" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- The WordPress plugin "WP Google Map Plugin" contains a cross-site scripting vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN01040170/ ∗∗∗ WordPress plugin "Events Manager" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- The WordPress plugin "Events Manager" contains a cross-site scripting vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN85531148/ ∗∗∗ Cisco Small Business SPA50x, SPA51x, and SPA52x Series IP Phones SIP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2018
by Daily end-of-shift report 26 Apr '18

26 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-04-2018 18:00 − Donnerstag 26-04-2018 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Core-i-Prozessoren: Microsoft liefert Spectre-Schutz für Haswell und Broadwell ∗∗∗ --------------------------------------------- Microsoft erweitert die Auslieferung von Spectre-Updates auf Prozessoren der Haswell- und Broadwell-Serien. Das Update ist optional und muss manuell heruntergeladen werden. Viele Nutzer werden von ihren Mainboardherstellern keine Updates mehr bekommen. --------------------------------------------- https://www.golem.de/news/core-i-prozessoren-microsoft-liefert-spectre-schu… ∗∗∗ DDoS attacks in Q1 2018 ∗∗∗ --------------------------------------------- In Q1 2018, we observed a significant increase in both the total number and duration of DDoS attacks against Q4 2017. The new Linux-based botnets Darkai (a Mirai clone) and AESDDoS are largely responsible for this hike. --------------------------------------------- http://securelist.com/ddos-report-in-q1-2018/85373/ ∗∗∗ Mac-Malware will sich per Konfigurationsprofil einnisten ∗∗∗ --------------------------------------------- Eine neue Variante des Schädlings “Crossrider” manipuliert die Einstellungen, um auch eine manuelle Entfernung der Adware durch den Nutzer zu überdauern, warnt eine Sicherheitsfirma. --------------------------------------------- https://heise.de/-4034258 ∗∗∗ Server-Verwaltung: Erpressungstrojaner hat es auf HPE iLo abgesehen ∗∗∗ --------------------------------------------- Aufgrund von Attacken sollten Server-Admins, die auf die Management-Software Integrated Lights-out 4 (iLO 4) von HPE setzen, prüfen, ob ihre Geräte auf dem aktuellen Stand sind und ob der Fernzugriff aktiviert ist. --------------------------------------------- https://heise.de/-4035630 ∗∗∗ "Mılka" statt "Milka": Neue Fake-Gewinnspiele auf Whatsapp im Umlauf ∗∗∗ --------------------------------------------- Betrügerische Nachrichten enthalten täuschend echt wirkende Links --------------------------------------------- http://derstandard.at/2000078631245 ∗∗∗ Achtung vor Datendiebstahl auf Kleinanzeigenportalen! ∗∗∗ --------------------------------------------- Die Marktplätze erfreuen sich daher großer Beliebtheit, doch bei der Nutzung dieser Plattformen ist auch Vorsicht geboten. Kriminelle betreiben hier nämlich systematischen Daten- und Identitätsdiebstahl. Nutzer und Nutzerinnen müssen daher gut darüber nachdenken, welche Daten sie über das Internet an unbekannte Personen preisgeben und sollten keine Fotos diverser Ausweisdokumente versenden. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-datendiebstahl-auf-klein… ===================== = Vulnerabilities = ===================== ∗∗∗ Hyperoptics ZTE-made 1Gbps routers had hyper-hardcoded hyper-root hyper-password ∗∗∗ --------------------------------------------- Firmware updates pushed out to up to 400,000 subscribers A security vulnerability has been found in Brit broadband biz Hyperoptics home routers that exposes tens of thousands of its subscribers to hackers.… --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/04/26/hyperoptics… ∗∗∗ JSON API - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2018-021 ∗∗∗ --------------------------------------------- This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't provide CSRF protection when processing authenticated traffic using cookie-based authentication. This vulnerability is mitigated by the fact that an attacker must be allowed to create or modify entities of a certain type, and a very specific and uncommon CORS configuration that allows all other pre-checks to be skipped. --------------------------------------------- https://www.drupal.org/sa-contrib-2018-021 ∗∗∗ Media - Critical - Remote Code Execution - SA-CONTRIB-2018-020 ∗∗∗ --------------------------------------------- The Media module provides an extensible framework for managing files and multimedia assets, regardless of whether they are hosted on your own site or a third party site. The module contained a vulnerability similar to SA-CORE-2018-004, leading to a possible remote code execution (RCE) attack. --------------------------------------------- https://www.drupal.org/sa-contrib-2018-020 ∗∗∗ PHP: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- Mehrere Schwachstellen ermöglichen einem entfernten, nicht authentisierten Angreifer die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe. Eine dieser Schwachstellen ermöglicht dem Angreifer einen kompletten Denial-of-Service-Zustand zu bewirken. Eine weitere Schwachstelle ermöglicht dem Angreifer einen Cross-Site-Scripting (XSS)-Angriff. Die offiziellen Releases zur Behebung der Schwachstellen sind PHP 7.2.5, 7.1.17, 7.0.30 und vermutlich 5.6.36 (noch nicht verfügbar). Nähere Informationen zu den genannten Schwachstellen und weiteren Bugs finden sich in den zugehörigen ChangeLogs. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-0789/ ∗∗∗ Kritische Sicherheitslücke in Drupal - aktiv ausgenützt - Updates verfügbar ∗∗∗ --------------------------------------------- In der verbreiteten CMS-Software Drupal ist eine kritische Sicherheitslücke entdeckt worden. Durch Ausnutzung dieses Fehlers kann auf betroffenen Systemen beliebiger Code (mit den Rechten des Webserver-Users) ausgeführt werden. CVE-Nummer: CVE-2018-7602 --------------------------------------------- http://www.cert.at/warnings/all/20180426.html ∗∗∗ IE Zero-Day “double kill” And Its First In-The-Wild Attack Found By 360 ∗∗∗ --------------------------------------------- Recently, 360 Security Center discovered an attack that used IE 0-day vulnerability. After analysis, we found that it is the first APT(Advanced Persistent Threat) campaign that forms its attack with an Office document embedding a newly discovered Internet Explorer 0-day exploit. As soon as anyone opens the malicious document, they get infected and give away control of their computers. --------------------------------------------- https://blog.360totalsecurity.com/en/ie-zero-day-double-kill-first-wild-att… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7, gcc-4.9-backport, ghostscript, and openslp-dfsg), Fedora (anki, composer, perl, and perl-Module-CoreList), Red Hat (kernel and rh-mysql56-mysql), and SUSE (kernel, kvm, and zsh). --------------------------------------------- https://lwn.net/Articles/752860/ ∗∗∗ IBM Security Bulletin: IBM Campaign Contains Client-side Vulnerability (CVE-2017-1116) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015569 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM i ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022561 ∗∗∗ IBM Security Bulletin: BigFix Platform 9.5.x / 9.2.x affected by multiple vulnerabilities (CVE-2018-1471, CVE-2018-1473, CVE-2018-1479, CVE-2018-1475) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015754 ∗∗∗ IBM Security Bulletin: Vulnerability in IBM Java SDK affect eDiscovery Analyzer ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014443 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect ITCAM for SOA ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015258 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect eDiscovery Analyzer ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012865 ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by OpenSSH vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011165 ∗∗∗ IBM Security Bulletin: Security vulnerability in IBM WebSphere Application Server affects Rational Reporting for Development Intelligence (CVE-2017-1681) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015667 ∗∗∗ IBM Security Bulletin: Security vulnerabilities in IBM WebSphere Application Server affects Rational Insight (CVE-2017-1681) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015668 ∗∗∗ IBM Security Bulletin: Open Source XStream Vulnerabilities Impact on IBM Campaign (CVE-2017-7957) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015573 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2018
by Daily end-of-shift report 25 Apr '18

25 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-04-2018 18:00 − Mittwoch 25-04-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MikroTik Patches Zero-Day Flaw Under Attack in Record Time ∗∗∗ --------------------------------------------- MikroTik has released firmware patches for RouterOS, the operating system that ships with some of its routers. The patches fix a zero-day vulnerability exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mikrotik-patches-zero-day-fl… ∗∗∗ Austria Cyber Security Challenge 2018 ∗∗∗ --------------------------------------------- Austria Cyber Security Challenge 201825. April 2018Auch heuer wieder gibt es eine Cyber Security Challenge. Wir von CERT.at halten das für eine gute Geschichte und daher auch von uns der Aufruf an Jung und (heuer neu!) Alt, hier mitzumachen.Es folgt der Meldung der Veranstalter:Die Besten Nachwuchs-Hacker Österreichs - und jene die es .. --------------------------------------------- http://www.cert.at/services/blog/20180425145422-2192.html ∗∗∗ BGP leaks and cryptocurrencies ∗∗∗ --------------------------------------------- Over the few last hours, a dozen news stories have broken about how an attacker attempted (and perhaps managed) to steal cryptocurrencies using a BGP leak. --------------------------------------------- https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/ ∗∗∗ Ving Card: Sicherheitslücke in Millionen Hoteltüren gefunden ∗∗∗ --------------------------------------------- Sicherheitsforschern ist es gelungen, einen Generalschlüssel zu erstellen, mit dem alle Türen eines Hotels geöffnet werden können. Weltweit sollen über eine Million Türen betroffen sein, ein Patch steht beriet. --------------------------------------------- https://www.golem.de/news/ving-card-sicherheitsluecke-in-millionen-hoteltue… ∗∗∗ Separate ransomware attacks hit Ukraine and Canada ∗∗∗ --------------------------------------------- Two widely separated ransomware attacks against the Ukrainian energy ministry and the provincial government of Canadas Prince Edward Island (PEI) have knocked each agencies primary website offline. --------------------------------------------- https://www.scmagazine.com/separate-ransomware-attacks-hit-ukraine-and-cana… ∗∗∗ Steps to Keep Your Site Clean: Updates ∗∗∗ --------------------------------------------- This is the second post of a series about Steps to Keep Your Site Clean. In the first post, we talked about Access Points; here we are going to offer more insight on Updates. Updates Repeatedly we see websites being infected or reinfected when important security updates are not taken seriously. Most software updates are created due to a security breach .. --------------------------------------------- https://blog.sucuri.net/2018/04/steps-to-keep-your-site-clean-updates.html ∗∗∗ Sicherheits- und Bugfix-Updates für iPhone, iPad und Mac ∗∗∗ --------------------------------------------- Apple hat am Dienstagabend iOS 11.3.1 und das Security Update 2018-001 für macOS High Sierra 10.13.4 veröffentlicht, die teils kritische Fehler beheben. Einen neuen Build von Safari 11.1 gibts obendrein. --------------------------------------------- https://www.heise.de/meldung/Sicherheits-und-Bugfix-Updates-fuer-iPhone-iPa… ∗∗∗ Angriffe auf Drupal-Webseiten: Erneut äußerst wichtige Sicherheitsupdates im Anflug ∗∗∗ --------------------------------------------- Admins von Drupal-Webseiten müssen erneut Hand anlegen: Die Entwickler haben Updates angekündigt, um eine kritische Sicherheitslücke zu schließen. --------------------------------------------- https://www.heise.de/meldung/Angriffe-auf-Drupal-Webseiten-Erneut-aeusserst… ∗∗∗ Europol: Weltweit größter Marktplatz für DDoS-Attacken vom Netz genommen ∗∗∗ --------------------------------------------- Europäischen Strafverfolgern ist es in einer koordinierten Aktion gelungen, die Drahtzieher des angeblich größten Onlinemarkts für DDoS-Attacken festzunehmen. Der Marktplatz selbst wurde vom Netz genommen. Infrastruktur fand sich auch in Deutschland. --------------------------------------------- https://www.heise.de/meldung/Europol-Weltweit-groesster-Marktplatz-fuer-DDo… ∗∗∗ Vier von fünf heimischen Online-Shops von Betrug betroffen ∗∗∗ --------------------------------------------- Identitätsdiebstahl und Zahlungsunfähigkeit als häufigste Betrugsform in Österreich --------------------------------------------- http://derstandard.at/2000078615586 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-4179 linux-tools - security update ∗∗∗ --------------------------------------------- https://www.debian.org/security/2018/dsa-4179 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2018
by Daily end-of-shift report 24 Apr '18

24 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Montag 23-04-2018 18:00 − Dienstag 24-04-2018 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mobilfunk: Was 5G im Bereich Security bringt ∗∗∗ --------------------------------------------- In 5G-Netzwerken werden Sim-Karten für einige Anwendungsbereiche optional, das Roaming wird für Netzbetreiber nachvollziehbarer und sicherer. Außerdem verschwinden die alten Signalisierungsprotokolle. Golem.de hat mit einem Experten über Sicherheitsmaßnahmen im kommenden 5G-Netzwerk gesprochen. --------------------------------------------- https://www.golem.de/news/mobilfunk-was-5g-im-bereich-security-bringt-1804-… ∗∗∗ Atlanta Spent $2.6M to Recover From $52,000 Ransomware Scare ∗∗∗ --------------------------------------------- Whether to pay ransomware is a complicated—and costly—calculation. --------------------------------------------- https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare ∗∗∗ Veröffentlichter Boot-Exploit knackt alle Nintendo-Switch-Konsolen ∗∗∗ --------------------------------------------- Mehrere Hacker-Gruppen zeigen, wie sie in Nintendos Switch einsteigen und beispielsweise Linux mit offensichtlich vollem Hardwarezugriff auf der Spielkonsole laufen lassen. --------------------------------------------- https://www.heise.de/meldung/Veroeffentlichter-Boot-Exploit-knackt-alle-Nin… ∗∗∗ Fake-Support per Telefon: Microsoft meldet Zunahme von Betrugsfällen ∗∗∗ --------------------------------------------- Offenbar ist es ein lohnendes Geschäft, sich als angeblicher Windows-Support-Mitarbeiter Remote-Zugriff auf fremde Rechner zu verschaffen: Jüngst veröffentlichte Zahlen dokumentieren eine starke Zunahme von "Tech Support Scam" im Jahr 2017. --------------------------------------------- https://www.heise.de/meldung/Fake-Support-per-Telefon-Microsoft-meldet-Zuna… ∗∗∗ Cryptomining Campaign Returns Coal and Not Diamond ∗∗∗ --------------------------------------------- Executive summarySoon after a launch of a new cryptocurrency, Bitvote, in January, Talos discovered a new mining campaign affecting systems in India, Indonesia, Vietnam and several other countries that were tied to Bitvote. Apart from the fact that the attackers have chosen to target the new bitcoin fork in order to gain the early adoption advantage, this .. --------------------------------------------- http://feedproxy.google.com/~r/feedburner/Talos/~3/5RBkUbicJr4/cryptomining… ∗∗∗ Sednit update: Analysis of Zebrocy ∗∗∗ --------------------------------------------- Zebrocy heavily used by the Sednit group over last two years The post Sednit update: Analysis of Zebrocy appeared first on WeLiveSecurity --------------------------------------------- https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy ∗∗∗ Angebliche Sicherheits-App der Erste Bank und Sparkasse ist schädlich! ∗∗∗ --------------------------------------------- Betrüger fälschen eine Erste Bank und Sparkasse-Nachricht und versenden diese massenhaft. In der Nachricht wird behauptet, dass das Bankkonto des/der Empfänger/in eingeschränkt werden musste und zur weiteren Nutzung die Installation einer Sicherheits-App nötig sei. Doch Vorsicht: es handelt sich bei der E-Mail um Phishing und .. --------------------------------------------- https://www.watchlist-internet.at/news/angebliche-sicherheits-app-der-erste… ∗∗∗ Drupal 7 and 8 core critical release on April 25th, 2018 PSA-2018-003 ∗∗∗ --------------------------------------------- There will be a security release of Drupal 7.x, 8.4.x, and 8.5.x on April 25th, 2018 between 16:00 - 18:00 UTC. This PSA is to notify that the Drupal core release is outside of the regular schedule of security releases. For all security updates, the Drupal Security Team urges you to reserve time for core updates at that time because there is some risk .. --------------------------------------------- https://www.drupal.org/psa-2018-003 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Adaptive Security Appliance Flow Creation Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the ingress flow creation functionality of Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause the CPU to increase upwards of 100 percent utilization, causing a denial of service (DoS) condition on an affected system. The vulnerability is due to incorrect handling of an internal software .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Wireless LAN Controller Default Simple Network Management Protocol Community Strings ∗∗∗ --------------------------------------------- With new installations of Cisco Wireless LAN Controller Software, the installation scripts create default communities for Simple Network Management Protocol (SNMP) Version 2 (SNMPv2) and a default username for SNMP Version 3 (SNMPv3), both allowing for read and write access. As documented in the Cisco Wireless LAN Controller Configuration Best Practices .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Reflected Cross-Site Scripting in Zyxel Zywall ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/reflected-cross-site-scripti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2018
by Daily end-of-shift report 23 Apr '18

23 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-04-2018 18:00 − Montag 23-04-2018 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Datenleck bei Sicherheitskonferenz ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der App zur RSA Sicherheitskonferenz ermöglichte es, die Namen von Konferenzteilnehmern auszulesen. --------------------------------------------- https://futurezone.at/digital-life/datenleck-bei-sicherheitskonferenz/40002… ∗∗∗ UMCI: Project Zero veröffentlicht Windows-10-Sicherheitslücke ∗∗∗ --------------------------------------------- Wieder einmal haben sich Google und Microsoft über die Veröffentlichung einer Sicherheitslücke gestritten. Der Fehler in .Net ermöglicht es einem Angreifer, trotz enger Beschränkungen Code unter Windows 10 S oder auf UMCI-Systemen auszuführen. (Project Zero, Google) --------------------------------------------- https://www.golem.de/news/umci-project-zero-veroeffentlicht-windows-10-sich… ∗∗∗ Chinese web giant finds Windows zero-day, stays shtum on specifics ∗∗∗ --------------------------------------------- Quihoo 360 plays the responsible disclosure game Chinese company Quihoo 360 says its found a Windows zero-day in the wild, but because its notified Microsoft, its not telling anyone else how it works. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/04/23/quihoo_360_… ∗∗∗ Monero-Mining RETADUP Worm Goes Polymorphic, Gets an AutoHotKey Variant ∗∗∗ --------------------------------------------- We came across a new version of a cryptocurrency-mining RETADUP worm (detected by Trend Micro as WORM_RETADUP.G) through feedback from our managed detection and response-related monitoring. This new variant is coded in AutoHotKey, an open-source scripting language used in Windows for creating hotkeys (i.e., keyboard shortcuts, macros, software automation). AutoHotKey is relatively similar to the script automation utility AutoIt, from which RETADUP’s earlier variants were based on and used [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/3PgT2t0-HwE/ ∗∗∗ Loading Kernel Shellcode ∗∗∗ --------------------------------------------- In the wake of recent hacking tool dumps, the FLARE team saw a spike in malware samples detonating kernel shellcode. Although most samples can be analyzed statically, the FLARE team sometimes debugs these samples to confirm specific functionality. Debugging can be an efficient way to get around packing or obfuscation and quickly identify the structures, system routines, and processes that a kernel shellcode sample is accessing. This post begins a series centered on kernel software analysis, and [...] --------------------------------------------- http://www.fireeye.com/blog/threat-research/2018/04/loading-kernel-shellcod… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gunicorn, libreoffice, libsdl2-image, ruby1.8, and ruby1.9.1), Fedora (java-1.8.0-openjdk, jgraphx, memcached, nghttp2, perl, perl-Module-CoreList, and roundcubemail), Gentoo (clamav, librelp, mbedtls, quagga, tenshi, and unadf), Mageia (freeplane, libcdio, libtiff, thunderbird, and zsh), openSUSE (cfitsio, chromium, mbedtls, and nextcloud), and Red Hat (chromium-browser, kernel, and rh-perl524-perl). --------------------------------------------- https://lwn.net/Articles/752544/ ∗∗∗ FortiClient insecure VPN credential storage and encryption ∗∗∗ --------------------------------------------- http://fortiguard.com/psirt/FG-IR-17-214 ∗∗∗ IBM Security Bulletin: IBM Content Manager Enterprise Edition Resource Manager is affected by a Remote Code Execution Cross-site Scripting vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/docview.wss?uid=swg22014917 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affect IBM Cloud Application Performance Management Private 8.1.4. and IBM Cloud Application Performance Management ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015278 ∗∗∗ Multiple Stored XSS Vulnerabilities in WSO2 Carbon and WSO2 Dashboard Server ∗∗∗ --------------------------------------------- https://www.sec-consult.com/en/blog/advisories/multiple-stored-xss-vulnerab… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2018
by Daily end-of-shift report 20 Apr '18

20 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-04-2018 18:00 − Freitag 20-04-2018 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Patschn am Patscherkofel ∗∗∗ --------------------------------------------- Nachdem einige Medien über einen Vorfall berichten, bei dem auch wir involviert waren, will ich hier ein paar Fakten klarstellen: Wir bekommen immer wieder von Researchern - und da ist die "Internetwache" nur einer unter vielen - Hinweise zu konkreten Sicherheitsproblemen im österreichischen Internet. Unsere Rolle hier ist, diese Meldungen (auf Wunsch anonymisiert) an die Betroffenen weiterzuleiten und dort für die entsprechende [...] --------------------------------------------- http://www.cert.at/services/blog/20180420131015-2180.html ∗∗∗ Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training ∗∗∗ --------------------------------------------- Booz Allen survey shows most organizations' answer to the security skills shortage may be unsustainable. --------------------------------------------- https://www.darkreading.com/careers-and-people/firms-more-likely-to-tempt-s… ∗∗∗ First Public Demo of Data Breach via IoT Hack Comes to RSAC ∗∗∗ --------------------------------------------- At RSA Conference, senior researchers will show how relatively unskilled attackers can steal personally identifiable information without coming into contact with endpoint security tools. --------------------------------------------- https://www.darkreading.com/vulnerabilities---threats/first-public-demo-of-… ∗∗∗ Doctor Web: a Trojan on Google Play subscribes users to paid services ∗∗∗ --------------------------------------------- April 16, 2018 Doctor Web virus analysts have detected a Trojan Android.Click.245.origin on Google Play. When ordered by cybercriminals, it loads websites where users are tricked into subscribing to paid content services. In some cases the subscription is executed automatically when users click on a fake "download program" button. Cybercriminals distributed Android.Click.245.origin on behalf of developer Roman Zencov and disguised the Trojan as popular applications. --------------------------------------------- https://news.drweb.com/show/?i=12540&lng=en&c=9 ∗∗∗ Introducing Windows Defender System Guard runtime attestation ∗∗∗ --------------------------------------------- At Microsoft, we want users to be in control of their devices, including knowing the security health of these devices. If important security features should fail, users should be aware. Windows Defender System Guard runtime attestation, a new Windows platform security technology, fills this need. In Windows 10 Fall Creators Update, we reorganized all system [...] --------------------------------------------- https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-win… ∗∗∗ NCSC publishes factsheet on considerations and preconditions for the deployment of TLS interception ∗∗∗ --------------------------------------------- TLS interception makes encrypted connections within the network of an organisation accessible for inspection. The use of this technical measure should be carefully considered in the light of additional risks and should meet a number of important preconditions. --------------------------------------------- https://www.ncsc.nl/english/current-topics/news/ncsc-publishes-factsheet-on… ∗∗∗ Botnet Muhstik is Actively Exploiting Drupal CVE-2018-7600 in a Worm Style ∗∗∗ --------------------------------------------- On March 28, 2018, drupal released a patch for CVE-2018-7600. Drupal is an open-source content management system written in PHP, quite popular in many sites to provide web service. This vulnerability exists in multiple drupal versions, which may be exploited by an attacker to take full control of the target. --------------------------------------------- http://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve… ∗∗∗ XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing ∗∗∗ --------------------------------------------- We have been detecting a new wave of network attacks since early March, which, for now, are targeting Japan, Korea, China, Taiwan, and Hong Kong. The attacks use Domain Name System (DNS) cache poisoning/DNS spoofing, possibly through infringement techniques such as brute-force or dictionary attacks, to distribute and install malicious Android apps. Trend Micro detects these as ANDROIDOS_XLOADER.HRX. These malware pose as legitimate Facebook or Chrome applications. They are distributed from [...] --------------------------------------------- http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/a9ANfAHCd0c/ ∗∗∗ iPhone-Unlock-Tool GrayKey: Apple streicht Gegenmittel aus iOS 11.3 ∗∗∗ --------------------------------------------- iOS 11.3 sollte es eigentlich schwerer machen, iPhone-Daten über eine Kabelverbindung auszulesen. Die wichtige Sicherheitsfunktion fehlt jedoch in der finalen Fassung, sodass sich Entsperr-Tools wie GrayKey offenbar weiter ungehindert einsetzen lassen. --------------------------------------------- https://www.heise.de/-4027793 ∗∗∗ Android: Google Safe Browsing schützt nun auch WebView in Apps ∗∗∗ --------------------------------------------- Google Safe Browsing schützt Chrome-Nutzer vor schädlichen Webseiten, Malware und Phishing-Attacken. Künftig ist der Schutzmechanismus auch in Android-WebView standardmäßig aktiv. --------------------------------------------- https://www.heise.de/-4028504 ∗∗∗ When BEC scammers specialize ∗∗∗ --------------------------------------------- A group of BEC scammers has been focusing its efforts on the global maritime shipping industry, compromising emails accounts and attempting to trick targets into delivering considerable sums to bank accounts set up by the group. Secureworks researchers have been tracking the group's activities for quite a while and have been warning the targets. They estimate that between June 2017 and January 2018, the scammers attempted to steal a minimum of $3.9 million U.S. dollars [...] --------------------------------------------- https://www.helpnetsecurity.com/2018/04/20/bec-scammers-specialize/ ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens SIMATIC WinCC OA Operator IOS App ∗∗∗ --------------------------------------------- This advisory includes mitigations for a file and directory information exposure vulnerability identified in the Siemens WinCC OA iOS App. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-109-01 ∗∗∗ Cisco Adaptive Security Appliance WebVPN Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Login screen of the Clientless SSL VPN (WebVPN) portal of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a [...] --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ VMSA-2018-0010 ∗∗∗ --------------------------------------------- Horizon DaaS update addresses a broken authentication issue --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0010.html ∗∗∗ Vulnerability Spotlight: Multiple Issues in Foxit PDF Reader ∗∗∗ --------------------------------------------- Talos is disclosing five vulnerabilities in Foxit PDF Reader. Foxit PDF Reader is a popular free program for viewing, creating, and editing PDF documents. It is commonly used as an alternative to Adobe Acrobat Reader and has a widely used browser plugin available. Update to the current version of Foxit PDF Reader. --------------------------------------------- https://blog.talosintelligence.com/2018/04/multiple-vulns-foxit-pdf-reader.… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice and mysql-5.5), Fedora (corosync), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/752405/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2018
by Daily end-of-shift report 19 Apr '18

19 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-04-2018 18:00 − Donnerstag 19-04-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Data Firm Left Profiles of 48 Million Users on a Publicly Accessible AWS Server ∗∗∗ --------------------------------------------- LocalBlox, a company that scrapes data from public web profiles, has left the details of over 48 million users on a publicly accessible Amazon Web Services (AWS) S3 bucket, according to an UpGuard security researcher who discovered the data on February 28, this year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/data-firm-left-profiles-of-4… ∗∗∗ Relieve Stress Paint Tool: Mal-Malware kopiert Facebook-Zugangsdaten ∗∗∗ --------------------------------------------- Eine Malware tarnt sich mit gefälschten Unicode-Domains und sucht gezielt nach Facebook-Zugangsdaten. Nutzern wird hingegen ein Anti-Stress-Malprogramm versprochen. (Malware, Virus) --------------------------------------------- https://www.golem.de/news/relieve-stress-paint-tool-mal-malware-kopiert-fac… ∗∗∗ Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege ∗∗∗ --------------------------------------------- Previously I presented a technique to exploit arbitrary directory creation vulnerabilities on Windows to give you read access to any file on the system. In the upcoming Spring Creators Update (RS4) the abuse of mount points to link to files as I exploited in the previous blog post has been remediated. This is an example of a long term security benefit from detailing how vulnerabilities might be exploited, giving a developer an incentive to find ways of [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-… ∗∗∗ Trustjacking exploit abuses iTunes feature to spy on iOS devices ∗∗∗ --------------------------------------------- Researchers presenting at RSA 2018 on Wednesday disclosed how attackers can gain persistent remote control over iOS devices by abusing a weakness in iTunes Wi-Fi sync, a feature that allows users to sync up iTunes content and data between Apple devices. --------------------------------------------- https://www.scmagazine.com/trustjacking-exploit-abuses-itunes-feature-to-sp… ∗∗∗ From Baidu to Google's Open Redirects ∗∗∗ --------------------------------------------- Last week, we described how an ongoing massive malware campaign began using Baidu search result links to redirect people to various ad and scam pages. It didn't last long. Soon after the publication of that article, the bad actors changed the links to use compromised third-party sites and a couple of day later they began using Google's goo.gl URL shortening service. This is a snippet from their decoded script: The Redirect Chain If you check Google's own information about that [...] --------------------------------------------- https://blog.sucuri.net/2018/04/from-baidu-to-googles-open-redirects.html ∗∗∗ Surprise! Wireless brain implants are not secure, and can be hijacked to kill you or steal thoughts ∗∗∗ --------------------------------------------- Science-fiction horror trope now a reality in 2018 Scientists in Belgium have tested the security of a wireless brain implant called a neurostimulator – and found that its unprotected signals can be hacked with off-the-shelf equipment. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/04/18/boffins_bre… ∗∗∗ New paper: Powering the distribution of Tesla stealer with PowerShell and VBA macros ∗∗∗ --------------------------------------------- Since their return four years ago, Office macros have been one of the most common ways to spread malware. Today, we publish a research paper which looks in detail at a campaign in which VBA macros are used to execute PowerShell code, which in turn downloads the Tesla information-stealing trojan. --------------------------------------------- https://www.virusbulletin.com:443/blog/2018/04/new-paper-powering-distribut… ∗∗∗ Microsoft veröffentlicht "Windows Defender" als Chrome-Erweiterung ∗∗∗ --------------------------------------------- Microsoft hat seinen Echtzeitschutz als Chrome-Erweiterung veröffentlicht: Die "Windows Defender Browser Protection" verspricht "besseren Schutz" vor betrügerischen Phishing-Seiten und Malware. --------------------------------------------- https://heise.de/-4027458 ∗∗∗ Sicherheitsupdates: Flash-Datei kann Ciscos WebEx Client kompromittieren ∗∗∗ --------------------------------------------- Cisco hat zahlreiches Patches veröffentlicht und schließt mitunter kritische Sicherheitslücken. Zudem geben sie Tipps, wie Admins Netzwerke absichern sollten. --------------------------------------------- https://www.heise.de/-4027370 ∗∗∗ Gefälschte UPC-Phishingmail im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte UPC-Nachricht. Darin erklären sie, dass das E-Mailkonto von Kund/innen gesperrt worden sei. Damit diese es weiterhin nützen können, sollen sie eine externe Website aufrufen und ihre persönlichen Zugangsdaten bekannt geben. Konsument/innen, die der Aufforderung nachkommen, übermitteln ihr UPC-Passwort an Datendiebe. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-upc-phishingmail-im-umla… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003 ∗∗∗ --------------------------------------------- Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses). --------------------------------------------- https://www.drupal.org/sa-core-2018-003 ∗∗∗ Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019 ∗∗∗ --------------------------------------------- Project: Display SuiteVersion: 7.x-2.147.x-1.9Date: 2018-April-18Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scripting (XSS)Description: Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. The module doesnt sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack. --------------------------------------------- https://www.drupal.org/sa-contrib-2018-019 ∗∗∗ PMASA-2018-2 ∗∗∗ --------------------------------------------- CSRF vulnerability allowing arbitrary SQL executionAffected VersionsVersion 4.8.0 is affectedCVE ID(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188, uCVE-2018-10188) --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2018-2/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (opencv and wireshark), Fedora (corosync and pcs), Oracle (firefox, kernel, libvncserver, and libvorbis), Slackware (gd), SUSE (kernel), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/752324/ ∗∗∗ Cisco WebEx Connect IM Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco WebEx Clients Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Shell Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Industrial Ethernet Switches Device Manager Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client SAML Authentication Session Fixation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Adaptive Security Appliance Virtual Private Network SSL Client Certificate Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015077 ∗∗∗ IBM Security Bulletin: IBM API Connect is affected by an Apache HTTP Server vulnerability (CVE-2014-0226) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015233 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server for IBM Cloud January 2018 CPU ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015289 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects Liberty for Java for IBM Cloud January 2018 CPU ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015290 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027494 ∗∗∗ IBM Security Bulletin: OpenSSL Vulnerability affects IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix (CVE-2017-3737) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013612 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect the GSKit component of IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015424 ∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to a memory leak in pubsub (CVE-2017-1786) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22013023 ∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Analytical Components, Watson Explorer Foundational Components Annotation Administration Console and Watson Content Analytics ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22011118 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015635 ∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities Impact IBM Predictive Insights ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015539 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2018
by Daily end-of-shift report 18 Apr '18

18 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-04-2018 18:00 − Mittwoch 18-04-2018 18:00 Handler: Alexander Riepl Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Android: Google integriert sichere DNS-Abfrage in Android P ∗∗∗ --------------------------------------------- In der kommenden Android-Version mit dem Anfangsbuchstaben P führt Google DNS over TLS ein. Damit würden DNS-Abfragen über einen sicheren Kanal erfolgen. Nutzer können in den Einstellungen auch einen eigenen Hostnamen eingeben oder die Funktion abstellen. --------------------------------------------- https://www.golem.de/news/android-google-integriert-sichere-dns-abfrage-in-… ∗∗∗ Leaking ads ∗∗∗ --------------------------------------------- We found that because of third-party SDKs many popular apps are exposing user data to the internet, with advertising SDKs usually to blame. They collect user data so they can show relehttps://www.heise.de/security/meldung/Critical-Patch-Update-Oracle-will-mit-254-Updates-die-Sicherheit-steigern-4026726.htmlvant ads, but often fail to protect that data when sending it to their servers. --------------------------------------------- http://securelist.com/leaking-ads/85239/ ∗∗∗ Malicious Activities with Google Tag Manager ∗∗∗ --------------------------------------------- If I were to ask if you could trust a script from Google that is loading on your website, the majority of users would say "yes" or even "absolutely". But when malicious behavior ensues, everything should be double-checked and suspected, even assets that come from "trusted sources" like Google, Facebook, and Youtube. In the past, we saw how adsense was abused with a malvertising campaign. Even more recently, we saw how attackers injected malware that called [...] --------------------------------------------- https://blog.sucuri.net/2018/04/malicious-activities-google-tag-manager.html ∗∗∗ Critical Patch Update: Oracle will mit 254 Updates die Sicherheit steigern ∗∗∗ --------------------------------------------- Oracle hangelt sich durch sein Software-Portfolio und schließt zum Teil äußerst kritische Sicherheitslücken. Admins sollten jetzt handeln. --------------------------------------------- https://heise.de/-4026726 ∗∗∗ Chrome 66 warnt vor Webseiten mit Symantec-Zertifikaten ∗∗∗ --------------------------------------------- Die aktuelle Version des Webbrowser Chrome vertraut ab sofort einigen TLS-Zertifikaten von Symantec nicht mehr. Das ist ein weiterer Schritt von Google gegen die Zertifizierungsstelle. --------------------------------------------- https://www.heise.de/-4026854 ∗∗∗ Erpressungstrojaner XiaoBa verwandelt sich in Krypto-Miner ∗∗∗ --------------------------------------------- Die Malware-Autoren des Verschlüsselungstrojaners XiaoBa schwenken um und wollen statt der Erpressung von Lösegeld nun Kryptogeld auf infizierten Computern schürfen. Doch dabei läuft noch nicht alles rund. --------------------------------------------- https://www.heise.de/-4026455 ∗∗∗ Cryptominers displace ransomware as the number one threat ∗∗∗ --------------------------------------------- During the first three months of 2018, cryptominers surged to the top of detected malware incidents, displacing ransomware as the number one threat, Comodo's Global Malware Report Q1 2018 has found. Another surprising finding: Altcoin Monero became the leading target for cryptominers' malware, replacing Bitcoin. The surge of cryptominers For years, Comodo Cybersecurity has tracked the rise of cryptominer attacks, malware that hijacks users' computers to mine cryptocurrencies --------------------------------------------- https://www.helpnetsecurity.com/2018/04/18/q1-2018-malware-trends/ ∗∗∗ PBot: a Python-based adware ∗∗∗ --------------------------------------------- Recently, we came across a Python-based sample dropped by an exploit kit. Although it arrives under the disguise of a MinerBlocker, it has nothing in common with miners. In fact, it seems to be PBot: a Python-based adware. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2018/04/pbot-python-based-adw… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeplane and jruby), Fedora (kernel and python-bleach), Gentoo (evince, gdk-pixbuf, and ncurses), openSUSE (kernel), Oracle (gcc, glibc, kernel, krb5, ntp, openssh, openssl, policycoreutils, qemu-kvm, and xdg-user-dirs), Red Hat (corosync, glusterfs, kernel, and kernel-rt), SUSE (openssl), and Ubuntu (openssl and perl). --------------------------------------------- https://lwn.net/Articles/752183/ ∗∗∗ Abbott Laboratories Defibrillator ∗∗∗ --------------------------------------------- This medical advisory includes mitigations for improper authentication and improper restriction of power consumption vulnerabilities identified in Abbott Laboratories defibrillators. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-107-01 ∗∗∗ Schneider Electric Triconex Tricon ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper restriction of operations within the bounds of a memory buffer vulnerabilities in Schneider Electrics Triconex Tricon safety instrumented system. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02 ∗∗∗ Rockwell Automation Stratix Services Router ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper input validation, improper restriction of operations, and use of externally-controlled format string vulnerabilities in the Rockwell Automation Stratix 5900 router. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-03 ∗∗∗ Rockwell Automation Stratix and ArmorStratix Switches ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper improper input validation, resource management, memory buffer and externally-controlled format string vulnerabilities in Rockwell Automations Allen-Bradley Stratix and ArmorStratix Switches. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-04 ∗∗∗ Rockwell Automation Stratix Industrial Managed Ethernet Switch ∗∗∗ --------------------------------------------- This advisory includes mitigations for improper imput validation, resource managment, 7PK, memory buffer and externally-controlled format string vulnerabilities in Rockwell Automations Stratix Industrial Managed Switch. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-107-05 ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in Inputhub Driver of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180418-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2018
by Daily end-of-shift report 17 Apr '18

17 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Montag 16-04-2018 18:00 − Dienstag 17-04-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Cisco Best Practices to Harden Devices Against Cyber Attacks Targeting Network Infrastructure ∗∗∗ --------------------------------------------- Cisco is aware of the recent joint technical alert from US-CERT (TA18-106A) that details known issues which require customers take steps to protect their networks against cyber-attacks. Providing transparency and guidance to help customers best protect their network is a top priority. Cisco security teams have been actively informing customers about the .. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Wichtige Sicherheitsupdates für VMware vRealize Automation ∗∗∗ --------------------------------------------- Aktualisierte Versionen von vRealize Automation schließen mehrere Sicherheitslücken. Davon gilt keine als kritisch. --------------------------------------------- https://www.heise.de/meldung/Wichtige-Sicherheitsupdates-fuer-VMware-vReali… ∗∗∗ Kreditkartenklau, DDoS-Angriffe: Facebook löscht 117 Cybercrime-Gruppen ∗∗∗ --------------------------------------------- Von Forscher gemeldet – Waren teils seit vielen Jahren aktiv, größter Auftritt hatte 47.000 Mitglieder --------------------------------------------- http://derstandard.at/2000078122065 ===================== = Vulnerabilities = ===================== ∗∗∗ 2018-04-17: Vulnerability in Relion® 630 series version 1.3 and earlier - MMS Path Traversal ∗∗∗ --------------------------------------------- 2018-04-17: Vulnerability in Relion® 630 series version 1.3 and earlier - MMS Path Traversal --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=1MRS758878&LanguageC… ∗∗∗ 2018-04-17: Vulnerability in Relion® 630 series version 1.3 and earlier - Weak Database Encryption ∗∗∗ --------------------------------------------- 2018-04-17: Vulnerability in Relion® 630 series version 1.3 and earlier - Weak Database Encryption --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=1MRS758877&LanguageC… ∗∗∗ SSA-845879 (Last Update: 2018-04-17): Firmware Downgrade Vulnerability in EN100 Ethernet Communication Module for SIPROTEC 4, SIPROTEC Compact and Reyrolle ∗∗∗ --------------------------------------------- The EN100 Ethernet communication module, which is an optional extension for SIPROTEC 4, SIPROTEC Compact and Reyrolle devices, allows an unauthenticated upload of firmware updates to the communication module in affected versions.Siemens has released updates for several affected products, is working on updates for the remaining affected products, and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf ∗∗∗ SSA-203306 (Last Update: 2018-04-17): Password Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Relay Families ∗∗∗ --------------------------------------------- SIPROTEC 4 and SIPROTEC Compact devices could allow access authorization passwords to be reconstructed or overwritten via engineering mechanisms that involve DIGSI 4 and EN100 Ethernet communication modules.Siemens has released updates for several affected products, is working on updates for the remaining affected products, and recommends specific countermeasures until fixes are available. --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-203306.pdf ∗∗∗ IBM Security Bulletin: IBM i is affected by DHCP vulnerabilities CVE-2018-5732 and CVE-2018-5733. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022543 ∗∗∗ IBM Security Bulletin: API Connect Developer Portal is affected by Drupal vulnerability (CVE-2018-7600) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015105 ∗∗∗ IBM Security Bulletin: IBM Lotus Protector for Mail Security has released fixes in response to the public disclosed vulnerability from PHP. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015535 ∗∗∗ IBM Security Bulletin: Security vulnerability affects IBM® Rational® Team Concert ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015454 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2018
by Daily end-of-shift report 16 Apr '18

16 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-04-2018 18:00 − Montag 16-04-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVE-2018-7600: Kritische Drupal-Lücke wird ausgenutzt ∗∗∗ --------------------------------------------- Wer seine Drupal-Installation noch nicht gepatcht hat, soll dies spätestens jetzt nachholen. Nach der Veröffentlichung weiterer Details und einem auf Twitter zirkulierenden Exploit-Code wurden erste Angriffe beobachtet. (Drupal, CMS) --------------------------------------------- https://www.golem.de/news/cve-2018-7600-kritische-drupal-luecke-wird-ausgen… ∗∗∗ The March/April 2018 issue of our SWITCH Security Report is available! ∗∗∗ --------------------------------------------- The topics covered in this report are: - The dark side of the Data Force: Facebook, Cambridge Analytica, and the pressing question of who is using whose data for what - News from the world of state trojans: Microsoft’s analysis of FinFisher - Russian APT28 hackers’ month-long infiltration of the computer network of Germany’s federal government - Bitcoin bounty or close encounter: bizarre side-effects of cryptomining The Security Report is available in both English and German. --------------------------------------------- https://securityblog.switch.ch/2018/04/16/switch-security-report-201802/ ===================== = Vulnerabilities = ===================== ∗∗∗ Symantec Advanced Secure Gateway (ASG), ProxySG: Mehrere Schwachstellen ermöglichen u.a. Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- Zwei Schwachstellen in Symantec Advanced Secure Gateway (ASG) und ProxySG ermöglichen einem einfach authentifizierten Angreifer im benachbarten Netzwerk die Durchführung von Cross-Site-Scripting (XSS)-Angriffen und das Umgehen von Sicherheitsvorkehrungen. Ein nicht authentisierter Angreifer im benachbarten Netzwerk kann eine weitere Schwachstelle zu Denial-of-Service (DoS)-Angriffen ausnutzen. Diese Schwachstellen können nur über die Management-Konsole von ASG und ProxySG ausgenutzt werden. --------------------------------------------- https://adv-archiv.dfn-cert.de/adv/2018-0705/ ∗∗∗ Schwachstelle in Intels SPI-Flash: Erste Firmware-Updates veröffentlicht ∗∗∗ --------------------------------------------- Ein Sicherheitsproblem in Intel-Chipsätzen ermöglicht lokalen Angreifern Firmware-Manipulationen bis hin zum Denial-of-Service. Als erster Hersteller stellt nun Lenovo BIOS/UEFI-Updates bereit. --------------------------------------------- https://heise.de/-4024853 ∗∗∗ Micro Focus Universal Configuration Management Database Lets Local Users Gain Elevated Privileges ∗∗∗ --------------------------------------------- A vulnerability was reported in Micro Focus Universal Configuration Management Database (UCMDB). A local user can obtain elevated privileges on the target system. A local user can exploit an installation file access control flaw to gain elevated privileges on the target system. --------------------------------------------- http://www.securitytracker.com/id/1040680 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (lib32-openssl and zsh), Debian (patch, perl, ruby-loofah, squirrelmail, tiff, and tiff3), Fedora (gnupg2), Gentoo (go), Mageia (firefox, flash-player-plugin, nxagent, puppet, python-paramiko, samba, and thunderbird), Red Hat (flash-plugin), Scientific Linux (python-paramiko), and Ubuntu (patch, perl, and ruby). --------------------------------------------- https://lwn.net/Articles/751947/ ∗∗∗ IBM Security Bulletin: Vulnerability in IBM WebSphere Application Server Affects IBM Emptoris Sourcing, IBM Emptoris Contract Management, IBM Emptoris Spend Analysis, IBM Emptoris Program Management and IBM Emptoris Service Procurement ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015421 ∗∗∗ OpenSSL vulnerability CVE-2018-0739 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08044291 ∗∗∗ Apache Tomcat vulnerability CVE-2018-1305 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32051722 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2018
by Daily end-of-shift report 13 Apr '18

13 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-04-2018 18:00 − Freitag 13-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploitation of Drupalgeddon2 Flaw Starts After Publication of PoC Code ∗∗∗ --------------------------------------------- The exploitation of a very dangerous Drupal vulnerability has started after the publication of proof-of-concept (PoC) code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploitation-of-drupalgeddon… ∗∗∗ "Early Bird" Code Injection Technique Helps Malware Stay Undetected ∗∗∗ --------------------------------------------- Security researchers have discovered at least three malware strains using a new code injection technique that allowed them to avoid antivirus detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/early-bird-code-injection-te… ∗∗∗ Office Macros ∗∗∗ --------------------------------------------- Eine kleine Bemerkung aus aktuellem Anlass: Ich hab gestern mal wieder meinen üblichen Vortrag zum Thema "Bedrohungslage" gehalten, und dabei auch - wie immer - erwähnt, dass Office-Macros gefährlich sind und eingeschränkt werden müssen. Im Publikum war klar zu erkennen, dass einige das bei sich nicht machen können. Verständlich, weil in so manchen Firmen wichtige Geschäftsprozesse als Excel-Macros implementiert [...] --------------------------------------------- http://www.cert.at/services/blog/20180413094624-2176.html ∗∗∗ Thousands of WP, Joomla and SquareSpace sites serving malicious updates ∗∗∗ --------------------------------------------- Thousands of compromised WordPress, Joomla and SquareSpace-based sites are actively pushing malware disguised as Firefox, Chrome and Flash Player updates onto visitors. This campaign has been going on since at least December 2017 and has been gaining steam. The malicious actors are injecting JavaScript that triggers the download requests into the content management systems' JavaScript files or directly into the sites' homepage. --------------------------------------------- https://www.helpnetsecurity.com/2018/04/13/wp-joomla-squarespace-malicious-… ∗∗∗ Android-Hersteller belügen Nutzer bei Sicherheits-Updates ∗∗∗ --------------------------------------------- Bis auf Google liefert niemand wirklich alle Patches aus – Samsung patzt manchmal, OnePlus, LG und Co. regelmäßig --------------------------------------------- http://derstandard.at/2000077842490 ∗∗∗ Introducing Snallygaster - a Tool to Scan for Secrets on Web Servers ∗∗∗ --------------------------------------------- https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan… ===================== = Vulnerabilities = ===================== ∗∗∗ Yokogawa CENTUM and Exaopc ∗∗∗ --------------------------------------------- This advisory includes mitigations for a permissions, privileges, and access controls vulnerability in the Yokogawa CENTUM series and Exaopc products. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-102-01 ∗∗∗ Oracle Critical Patch Update Pre-Release Announcement - April 2018 ∗∗∗ --------------------------------------------- This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for April 2018, which will be released on Tuesday, April 17, 2018. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory. --------------------------------------------- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html ∗∗∗ VMSA-2018-0009 ∗∗∗ --------------------------------------------- vRealize Automation updates address multiple security issues. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2018-0009.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (apache), openSUSE (libvirt, openssl, policycoreutils, and zziplib), Oracle (firefox and python-paramiko), and Red Hat (python-paramiko). --------------------------------------------- https://lwn.net/Articles/751780/ ∗∗∗ Bugtraq: [security bulletin] MFSBGN03802 - Virtualization Performance Viewer (vPV) / Cloud Optimizer, Local Disclosure of Information ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541942 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014440 ∗∗∗ IBM Security Bulletin: IBM MQ clients connecting to an MQ queue manager can cause a SIGSEGV in the amqrmppa channel process terminating it. (CVE-2018-1371) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012983 ∗∗∗ IBM Security Bulletin: Open Source OpenSSL Vulnerabilities which is used by IBM PureApplication Systems/Service (CVE-2017-3736 CVE-2017-3738) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014945 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i and Rational Developer for AIX and Linux ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015346 ∗∗∗ IBM Security Bulletin: Content Collector for Email affected by privilege escalation vulnerability in WebSphere Application Server ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22015034 ∗∗∗ IBM Security Bulletin: Content Collector for Email affected by information disclosure vulnerability in Websphere Application Server ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22015032 ∗∗∗ BIG-IP TMM vulnerability CVE-2018-5510 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K77671456 ∗∗∗ BIG-IP IPsec tunnel endpoint vulnerability CVE-2017-6156 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05263202 ∗∗∗ BIG-IP PEM vulnerability CVE-2018-5508 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10329515 ∗∗∗ BIG-IP SOCKS proxy vulnerability CVE-2017-6148 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55225440 ∗∗∗ vCMP Cavium Nitrox SSL hardware accelerator vulnerability CVE-2018-5507 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52521791 ∗∗∗ Apache vulnerability CVE-2018-5506 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K65355492 ∗∗∗ TMUI vulnerability CVE-2018-5511 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30500703 ∗∗∗ BIG-IP TMM vulnerability CVE-2017-6158 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19361245 ∗∗∗ TMM vulnerability CVE-2017-6155 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10930474 ∗∗∗ IP Intelligence Feed List vulnerability CVE-2017-6143 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11464209 ∗∗∗ cURL and libcurl vulnerability CVE-2018-1000120 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K22052524 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2018
by Daily end-of-shift report 12 Apr '18

12 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-04-2018 18:00 − Donnerstag 12-04-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android Penetration Tools Walkthrough Series Dex2Jar, JD-GUI, and Baksmali ∗∗∗ --------------------------------------------- In this article, we will be focusing on the Android penetration testing tools such as Dex2Jar, JD-GUI, and Baksmali to work with reverse engineering Android APK files. --------------------------------------------- http://resources.infosecinstitute.com/android-penetration-tools-walkthrough… ∗∗∗ APT Trends report Q1 2018 ∗∗∗ --------------------------------------------- In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018. --------------------------------------------- http://securelist.com/apt-trends-report-q1-2018/85280/ ∗∗∗ New ‘Early Bird’ Code Injection Technique Helps APT33 Evade Detection ∗∗∗ --------------------------------------------- Researchers have identified what they are calling an Early Bird code injection technique used by the Iranian group APT33 to burrow the TurnedUp malware inside infected systems while evading anti-malware tools. --------------------------------------------- http://threatpost.com/new-early-bird-code-injection-technique-helps-apt33-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Multiple Simple DirectMedia Layer Vulnerabilities ∗∗∗ --------------------------------------------- Talos is disclosing several vulnerabilities identified in Simple DirectMedia Layers SDL2_Image library that could allow code execution. Simple DirectMedia Layer is a cross-platform development library designed to provide low level access to audio, keyboard, mouse, joystick, and graphics hardware via OpenGL and Direct3D. It is used by video playback software, emulators, and popular games including Valves award winning catalog ... --------------------------------------------- http://blog.talosintelligence.com/2018/04/simple-direct-media-layer-vulnera… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (poppler), Fedora (koji and libofx), Gentoo (adobe-flash), Oracle (kernel), Red Hat (qemu-kvm-rhev and sensu), and Scientific Linux (firefox). --------------------------------------------- https://lwn.net/Articles/751668/ ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities identified in IBM® Java SDK affect WebSphere Service Registry and Repository and WebSphere Service Registry and Repository Studio ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013955 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by a vulnerability in the Apache Portal Runtime (CVE-2017-12613) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014874 ∗∗∗ IBM Security Bulletin: Security vulnerability has been identified in IBM Spectrum Scale which is used by IBM PureApplication Systems/Service (CVE-2017-1654) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015239 ∗∗∗ IBM Security Bulletin: IBM Cloud Manager is affected by a OpenSSL vulnerabilities ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027142 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM HTTP Server (CVE-2017-15710, CVE-2017-15715, CVE-2018-1301) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015344 ∗∗∗ IBM Security Bulletin: IBM Web Experience Factory is Affected by Multiple Vulnerabilities in IBM Java SDK and IBM Java Runtime ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014914 ∗∗∗ JSA10844 - 2018-04 Security Bulletin: Junos OS: Kernel crash upon receipt of crafted CLNP packets (CVE-2018-0016) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10844&actp=RSS ∗∗∗ JSA10845 - 2018-04 Security Bulletin: SRX Series: Denial of service vulnerability in flowd daemon on devices configured with NAT-PT (CVE-2018-0017) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10845&actp=RSS ∗∗∗ JSA10846 - 2018-04 Security Bulletin: SRX Series: A crafted packet may lead to information disclosure and firewall rule bypass during compilation of IDP policies. (CVE-2018-0018) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10846&actp=RSS ∗∗∗ JSA10847 - 2018-04 Security Bulletin: Junos: Denial of service vulnerability in SNMP MIB-II subagent daemon (mib2d) (CVE-2018-0019) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10847&actp=RSS ∗∗∗ JSA10848 - 2018-04 Security Bulletin: Junos OS: rpd daemon cores due to malformed BGP UPDATE packet (CVE-2018-0020) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10848&actp=RSS ∗∗∗ JSA10850 - 2018-04 Security Bulletin: NorthStar: Return Of Bleichenbachers Oracle Threat (ROBOT) RSA SSL attack (CVE-2017-1000385) ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10850&actp=RSS ∗∗∗ JSA10851 - 2018-04 Security Bulletin: OpenSSL Security Advisory [07 Dec 2017] ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10851&actp=RSS ∗∗∗ JSA10852 - 2018-04 Security Bulletin: Junos OS: Multiple vulnerabilities in stunnel ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10852&actp=RSS ∗∗∗ JSA10853 - 2018-04 Security Bulletin: NSM Appliance: Multiple vulnerabilities resolved in CentOS 6.5-based 2012.2R12 release ∗∗∗ --------------------------------------------- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10853&actp=RSS ∗∗∗ Apache HTTPD vulnerability CVE-2018-1301 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K78131906 ∗∗∗ OpenSSH vulnerability CVE-2016-10708 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32485746 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2018
by Daily end-of-shift report 11 Apr '18

11 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-04-2018 18:00 − Mittwoch 11-04-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Android Penetration Tools Walkthrough Series: Apktool ∗∗∗ --------------------------------------------- In this article, we will look at the step by step procedure to setup utility called “Apktool” and its usage in android application penetration testing. Introduction Apktool is a utility that can be used for reverse engineering Android applications resources (APK). --------------------------------------------- http://resources.infosecinstitute.com/android-penetration-tools-walkthrough… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Microsoft kümmert sich um mehr als 60 Lücken in Windows & Co. ∗∗∗ --------------------------------------------- Über Windows Update stehen Sicherheitsptaches bereit. Unter anderem schließen diese eine Lücke, über die Angreifer ein Wireless Keyboard in einen Keylogger verwandeln könnten. --------------------------------------------- https://heise.de/-4016580 ∗∗∗ Sicherheitsforscher: Intel-Modem macht neue iPhones für Schadcode anfällig ∗∗∗ --------------------------------------------- Eine Schwachstelle in Baseband-Prozessoren von Intel erlaubt versierten Angreifern das Einschleusen von Schadcode über das Mobilfunknetz. Betroffen sind laut Sicherheitsforschern neue iPhones bis hin zum iPhone X – iOS 11.3 schließt die Lücke. --------------------------------------------- https://heise.de/-4015828 ∗∗∗ AMD-Prozessoren bekommen Windows-10-Update gegen Spectre-V2-Lücke ∗∗∗ --------------------------------------------- Eine Kombination aus einem Windows-Update mit BIOS-Updates für Mainboards soll Windows-10-Rechner mit AMD-Prozessoren ab der 2011 vorgestellten Bulldozer-Generation schützen. --------------------------------------------- https://heise.de/-4016546 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pcs), Fedora (drupal7), openSUSE (git and mercurial), Red Hat (firefox and qemu-kvm-rhev), SUSE (libvirt and xen), and Ubuntu (patch). --------------------------------------------- https://lwn.net/Articles/751548/ ∗∗∗ Security Advisory - Multiple Vulnerabilities of PEM Module in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171206-… ∗∗∗ Security Advisory - Invalid Memory Access Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180411-… ∗∗∗ Security Advisory - Information Leak Vulnerability in the NFC Module of Some Huawei Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180411-… ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Service Quality Manager is affected by an Open Source Apache Commons FileUpload vulnerability (CVE-2016-1000031) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015184 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect WebSphere MQ 5.3 and MQ 8 for HPE NonStop Server (CVE-2017-3735) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014367 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by an OpenLDAP vulnerability (CVE-2017-9287) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014873 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by glibc vulnerabilities (CVE-2015-8779, CVE-2015-8776) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014870 ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Service Quality Manager is affected by an Open Source Apache POI vulnerability (CVE-2017-12626) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015185 ∗∗∗ IBM Security Bulletin: Vulnerability in Rational DOORS Next Generation with potential for Cross-Site Scripting attack ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012660 ∗∗∗ IBM Security Bulletin: IBM Security Access Manager Appliance is affected by vulnerabilities in the wget package (CVE-2017-13090, CVE-2017-13089) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013885 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22013851 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2018
by Daily end-of-shift report 10 Apr '18

10 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Montag 09-04-2018 18:00 − Dienstag 10-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Advance Persistent Threat – Lateral Movement Detection in Windows Infrastructure – Part II ∗∗∗ --------------------------------------------- In the previous article "Advanced Persistent Threat – Lateral Movement Detection in Windows Infrastructure – Part I," we discussed the advanced threat and common strategies that security professionals practice during targeted attacks in a windows infrastructure, using legitimate binaries. We also learned about the techniques to identify Spawned Processes with the help of the windows [...] --------------------------------------------- http://resources.infosecinstitute.com/advance-persistent-threat-lateral-mov… ∗∗∗ Entwickler warnt vor iOS-Angriffen über Kontakt-Berechtigungen ∗∗∗ --------------------------------------------- Apple unterscheidet aktuell nicht zwischen dem Schreiben und Lesen von Kontakten, wenn Nutzer Apps die Zugriffserlaubnis erteilen. Ein Entwickler schildert nun ein mögliches Szenario zum Abgreifen von Passwörtern. --------------------------------------------- https://heise.de/-4014136 ∗∗∗ Jetzt patchen! Angriffe auf Flash Player leichtgemacht ∗∗∗ --------------------------------------------- Derzeit sind vermehrt Exploits im Umlauf, die es auf eine Lücke in Adobes Flash Player abgesehen haben. Ein Sicherheitspatch erschien bereits im Februar. --------------------------------------------- https://www.heise.de/-4014258 ∗∗∗ BSI stellt Entwicklern Prüf-Tool für digitale Zertifikatsketten zur Verfügung ∗∗∗ --------------------------------------------- Software-Anwendungen wie Browser oder E-Mail-Clients und Hardware-Komponenten wie VPN-Gateways, die auf Grund von Programmierfehlern ungültige Zertifikatsketten akzeptieren, stellen ein Sicherheitsrisiko für die authentisierte und vertrauliche Kommunikation über das Internet dar. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) stellt nun ein Prüf-Tool bereit, das Entwickler bei der korrekten Implementierung dieser Zertifikatspfadvalidierung unterstützt. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2018/pruef_tool_… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletins Posted ∗∗∗ --------------------------------------------- Adobe has published security bulletins for Adobe Flash Player (APSB18-08), Adobe Experience Manager (APSB18-10), Adobe InDesign CC (APSB18-11), Digital Editions (APSB18-13) and the Adobe PhoneGap Push plugin (APSB18-15). Adobe recommends users update their product installations to the latest versions using [...] --------------------------------------------- https://blogs.adobe.com/psirt/?p=1542 ∗∗∗ Signal Bypass Screen locker ∗∗∗ --------------------------------------------- Signal for iOS, version 2.23.1.1 and prior, is vulnerable to screen lock bypass. The vulnerability, triggered by some click sequence, allows anyone to bypass password and TouchID authentication protections that iOS users can set on their device in order to increase application security and confidentiality. --------------------------------------------- http://nint.en.do/Signal-Bypass-Screen-locker.php ∗∗∗ SAP Security Patch Day - April 2018 ∗∗∗ --------------------------------------------- This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. --------------------------------------------- https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/ ∗∗∗ Update: Sicherheitslücken (teils kritisch) in Cisco IOS, Cisco IOS XE und Cisco IOS XR Software - Detaillierte Sicherheitshinweise für das Cisco IOS und IOS XE Smart Install Feature verfügbar ∗∗∗ --------------------------------------------- [...] Cisco hat ein Security Advisory mit Informationen zu CVE-2018-0171 und weiteren - teils schon älteren - Sicherheitslücken im Smart Install Feature von Cisco IOS und Cisco IOS XE veröffentlicht. Cisco empfiehlt die Umsetzung der im Advisory angeführten Maßnahmen zur Absicherung betroffener Systeme. --------------------------------------------- http://www.cert.at/warnings/all/20180329-2.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (libvorbis and thunderbird), Debian (pjproject), Fedora (compat-openssl10, java-1.8.0-openjdk-aarch32, libid3tag, python-pip, python3, and python3-docs), Gentoo (ZendFramework), Oracle (thunderbird), Red Hat (ansible, gcc, glibc, golang, kernel, kernel-alt, kernel-rt, krb5, kubernetes, libvncserver, libvorbis, ntp, openssh, openssl, pcs, policycoreutils, qemu-kvm, and xdg-user-dirs), SUSE (openssl and openssl1), and Ubuntu (python-crypto, [...] --------------------------------------------- https://lwn.net/Articles/751454/ ∗∗∗ IBM Security Bulletin: eDiscovery Manager is affected by GSKit and GSKit-Crypto vulnerabilities ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22014742 ∗∗∗ IBM Security Bulletin: IBM Communications Server for Data Center Deployment, IBM Communications Server for AIX, IBM Communications Server for Linux, and IBM Communications Server for Linux on System z are affected by a vulnerability. gskit ssl ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013978 ∗∗∗ IBM Security Bulletin: IBM Communications Server for Windows is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015200 ∗∗∗ NTP vulnerability CVE-2018-7185 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04912972 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2018
by Daily end-of-shift report 09 Apr '18

09 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-04-2018 18:00 − Montag 09-04-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ARP Spoofing in 2018: are you protected?, (Mon, Apr 9th) ∗∗∗ --------------------------------------------- This week I was reminded how efficient ARP (Address Resolution Protocol) spoofing attacks might be. A single Android device equipped with offensive tools was enough to fool any device on a network and capture sensitive data. But wait, we are talking about a threat as old as ARP specification from 1982. There arent vulnerable networks to this nowadays, right? Wrong. --------------------------------------------- https://isc.sans.edu/diary/rss/23533 ∗∗∗ Hacked Website Trend Report – 2017 ∗∗∗ --------------------------------------------- We are proud to be releasing our latest Hacked Website Trend Report for 2017. This report is based on data collected and analyzed by the Sucuri Remediation Group (RG), which includes the Incident Response Team (IRT) and the Malware Research Team (MRT). The data presented stems from the analysis of 34,371 infected websites summarizing the latest trends by bad actors. --------------------------------------------- https://blog.sucuri.net/2018/04/hacked-website-trend-report-2017.html ∗∗∗ The dots do matter: how to scam a Gmail user ∗∗∗ --------------------------------------------- I recently received an email from Netflix which nearly caused caused me to add my card details to someone else’s Netflix account. Here I show that this is a new kind of phishing scam which is enabled by an obscure feature of Gmail called “the dots don’t matter”. I then argue that the dots do matter, and that this Gmail feature is in fact a misfeature. --------------------------------------------- https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-… ∗∗∗ Event Log Auditing, Demystified ∗∗∗ --------------------------------------------- the topic of reviewing event logs has received a fair amount grunts, groans, and questions such as “You honestly expect us to review all of that data?!” or “We have so many systems! Where would we even begin?” or “We already have enough on our plate to worry about!”. Fortunately, the times have changed, and log aggregation has matured over a relatively short amount of time. Its existence alone however is not the complete answer to log auditing woes. --------------------------------------------- https://medium.com/@jeremy.trinka/event-log-auditing-demystified-75b55879f0… ∗∗∗ How to prevent bypassing AppLocker using Alternate Data Streams ∗∗∗ --------------------------------------------- I usually write my blog-posts in german. This one is in english, because Sami Laiho asked me to do a short write-up, to make this problem available to a broader audience. Who is affected and what’s the problem? If you are using AppLocker Application-Whitelisting using Path-Rules with Exceptions you are probably affected. --------------------------------------------- https://hitco.at/blog/howto-prevent-bypassing-applocker-using-alternate-dat… ∗∗∗ Nicht bestellen bei salewaz.top! ∗∗∗ --------------------------------------------- Auf der Website salewaz.top findet man Kleidung und Sportausrüstung der bekannten Marke Salewa. Die Preise der Angebote sind um vieles niedriger als üblich für Salewa-Produkte, weshalb ein Kauf auf den ersten Blick attraktiv erscheint. KonsumentInnen sollten in diesem Shop auf keinen Fall bestellen, denn es handelt sich um betrügerische Anbieter und es wird trotz Bezahlung keine Ware verschickt. --------------------------------------------- https://www.watchlist-internet.at/news/nicht-bestellen-bei-salewaztop/ ===================== = Vulnerabilities = ===================== ∗∗∗ Bugtraq: [RT-SA-2017-015] CyberArk Password Vault Memory Disclosure ∗∗∗ --------------------------------------------- Data in the CyberArk Password Vault may be accessed through a proprietary network protocol. While answering to a client's logon request, the vault discloses around 50 bytes of its memory to the client. --------------------------------------------- http://www.securityfocus.com/archive/1/541931 ∗∗∗ Bugtraq: [RT-SA-2017-014] CyberArk Password Vault Web Access Remote Code Execution ∗∗∗ --------------------------------------------- The CyberArk Password Vault Web Access application uses authentication tokens which consist of serialized .NET objects. By crafting manipulated tokens, attackers are able to gain unauthenticated remote code execution on the web server. --------------------------------------------- http://www.securityfocus.com/archive/1/541932 ∗∗∗ Authentication Bypass Vulnerability Found in Auth0 Identity Platform ∗∗∗ --------------------------------------------- A critical authentication bypass vulnerability has been discovered in one of the biggest identity-as-a-service platform Auth0 that could have allowed a malicious attacker to access any portal or application, which are using Auth0 service for authentication. Auth0 offers token-based authentication solutions for a number of platforms including the ability to integrate social media ... --------------------------------------------- https://thehackernews.com/2018/04/auth0-authentication-bypass.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (openssl and zziplib), Debian (ldap-account-manager, ming, python-crypto, sam2p, sdl-image1.2, and squirrelmail), Fedora (bchunk, koji, libidn, librelp, nodejs, and php), Gentoo (curl, dhcp, libvirt, mailx, poppler, qemu, and spice-vdagent), Mageia (389-ds-base, aubio, cfitsio, libvncserver, nmap, and ntp), openSUSE (GraphicsMagick, ImageMagick, spice-gtk, and wireshark), Oracle (kubernetes), Slackware (patch), and SUSE (apache2 and openssl). --------------------------------------------- https://lwn.net/Articles/751346/ ∗∗∗ The BIG-IP DNS/GTM system may be exposed to DNS hijacking when the BIG-IP system host name belongs to a public domain name that the BIG-IP owner does not control ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32518458 ∗∗∗ Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Notice - Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2018/huawei-sn-20180104-01-… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in Samba affect IBM i ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022524 ∗∗∗ IBM Security Bulletin: Vulnerability in sendmail impacts AIX (CVE-2014-3956) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027341 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2018
by Daily end-of-shift report 06 Apr '18

06 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-04-2018 18:00 − Freitag 06-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Remote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now ∗∗∗ --------------------------------------------- Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of which is a critical remote code execution flaw that could allow remote attackers to execute arbitrary code against applications built with it. Spring Framework is a popular, lightweight and an open source framework for developing Java-based enterprise applications. In an [...] --------------------------------------------- https://thehackernews.com/2018/04/spring-framework-hacking.html ∗∗∗ Sicherheitsforscher finden 1,5 Milliarden sensible Daten ∗∗∗ --------------------------------------------- Forscher des IT-Sicherheitsanbieters Digital Shadows haben eigenen Angaben zufolge weltweit rund 1,5 Milliarden Datensätze in falsch konfigurierten und daher frei zugänglichen Online-Speichern gefunden. Darunter befinden sich sensible Informationen wie medizinische Daten, Gehaltsabrechnungen oder Patente. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/news_forscher_fin… ∗∗∗ From PNG tEXt to Persistent XSS ∗∗∗ --------------------------------------------- I was on job for a client and was playing around with various endpoints they have for uploading files. They're really strict on several things and will only accept files with a .PNG extension. In one place, however, you were able to upload files with a .html extension ... score. Well, not really. You're allowed to upload [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/from-png-text-to-persistent-x… ∗∗∗ Warnung vor sportspoort.de ∗∗∗ --------------------------------------------- Der Online-Shop sportspoort.de verkauft günstige Adidas-Schuhe. Es handelt sich um gefälschte Markenware. Konsument/innen können sie ausschließlich über eine unsichere Verbindung mit ihrer Kreditkarte bezahlen. Die Watchlist Internet rät von einem Einkauf auf sportspoort.de ab, denn der Anbieter ist kriminell. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-sportspoortde/ ===================== = Vulnerabilities = ===================== ∗∗∗ Rockwell Automation MicroLogix ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper authentication vulnerability in the Rockwell MicroLogix Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-095-01 ∗∗∗ Moxa MXview ∗∗∗ --------------------------------------------- This advisory includes mitigations for an information exposure vulnerability in the Moxa MXview network management software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-095-02 ∗∗∗ LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper check or handling of exceptional conditions vulnerability in LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-095-03 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sharutils), Fedora (firefox, httpd, and mod_http2), openSUSE (docker-distribution, graphite2, libidn, and postgresql94), Oracle (libvorbis and thunderbird), Red Hat (libvorbis, python-paramiko, and thunderbird), Scientific Linux (libvorbis and thunderbird), SUSE (apache2), and Ubuntu (firefox, linux-lts-xenial, linux-aws, and ruby1.9.1, ruby2.0, ruby2.3). --------------------------------------------- https://lwn.net/Articles/751146/ ∗∗∗ [local] Sophos Endpoint Protection 10.7 - Tamper-Protection Bypass ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/44410/ ∗∗∗ [local] Sophos Endpoint Protection Control Panel 10.7 - Weak Password Encryption ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/44411/ ∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1483) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22015317 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos TM1 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015269 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Insight ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015268 ∗∗∗ IBM Security Bulletin: Vulnerability in Apache commons-fileupload affects IBM Algo One Algo Risk Application (ARA) CVE-2016-1000031 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015340 ∗∗∗ Intel SPI Flash Unsafe Opcodes Lets Local Users Cause Denial of Service Conditions ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040626 ∗∗∗ [R1] SecurityCenter 5.6.2.1 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-03 ∗∗∗ The BIG-IP ASM CSRF token may fail to renew when the original web server renews its session ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70517410 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2018
by Daily end-of-shift report 05 Apr '18

05 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-04-2018 18:00 − Donnerstag 05-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Intel Tells Users to Uninstall Remote Keyboard App Over Unpatched Security Bugs ∗∗∗ --------------------------------------------- Intel has decided that instead of fixing three security bugs affecting the Intel Remote Keyboard Android app, it would be easier to discontinue the application altogether. --------------------------------------------- https://www.bleepingcomputer.com/news/security/intel-tells-users-to-uninsta… ∗∗∗ Natus Neuroworks: Sicherheitslücken in Gehirnscan-Software entdeckt ∗∗∗ --------------------------------------------- Der Scan der Hirnaktivitäten ist nicht gefährdet, das Krankenhaus aber schon: Sicherheitsexperten haben Schwachstellen in der Software von EEG-Geräten gefunden, die es ermöglichen, Code auf dem Gerät auszuführen und sich Zugriff auf das Krankenhausnetz zu verschaffen. (Security, Cisco) --------------------------------------------- https://www.golem.de/news/natus-neuroworks-sicherheitsluecken-in-gehirnscan… ∗∗∗ Apples Dateisystem: APFS-Probleme bleiben bestehen ∗∗∗ --------------------------------------------- Nach dem letzten Problem rund um die Klartextspeicherung von Passwörtern zu verschlüsselten APFS-Datenträgern stellt sich nach weiteren Untersuchungen heraus, dass die Passwörter mit 10.13.4 weiter lesbar sind. Die Passwörter verbleiben auch nach dem Patch in den Logs. (APFS, Apple) --------------------------------------------- https://www.golem.de/news/apples-dateisystem-apfs-probleme-bleiben-bestehen… ∗∗∗ Understanding Code Signing Abuse in Malware Campaigns ∗∗∗ --------------------------------------------- Using a machine learning system, we analyzed 3 million software downloads, involving hundreds of thousands of internet-connected machines, and provide insights in this three-part blog series. In the first part of this series, we took a closer look at unpopular software downloads and the risks they pose to organizations. We also briefly mentioned the problem regarding code signing abuse, which we will elaborate on in this post. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/understanding-c… ∗∗∗ Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client ∗∗∗ --------------------------------------------- Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client. Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol. Some of these attacks are believed to be associated with nation-state actors, such as those described in U.S. CERTs recent alert. --------------------------------------------- http://blog.talosintelligence.com/2018/04/critical-infrastructure-at-risk.h… ∗∗∗ Keine 358.80 Euro an toxflix.de und ähnliche Streaming-Plattformen zahlen! ∗∗∗ --------------------------------------------- Die CINE STAR LTD ist laut Impressum verantwortlich für Streaming-Webseiten wie toxflix.de, roxflix.de oder laflix.de. Auf den Seiten werden Filme zum Streamen angeboten, vorab ist aber eine Registrierung durch die InteressentInnen notwendig. Die Anmeldung führt nach Ablauf einer 5-Tagesfrist zum Abschluss einer Premium-Mitgliedschaft und Forderungen in der Höhe von 358,80 Euro im Jahr. Der Betrag muss nicht bezahlt werden, denn ein gültiger Vertrag kommt nie zustande! --------------------------------------------- https://www.watchlist-internet.at/news/keine-35880-euro-an-toxflixde-und-ae… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (drupal), Debian (openjdk-7), Fedora (exempi, gd, and tomcat), SUSE (python-paramiko), and Ubuntu (kernel, libvncserver, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-lts-trusty, and linux-raspi2). --------------------------------------------- https://lwn.net/Articles/751026/ ∗∗∗ Vuln: Atlassian Bamboo CVE-2018-5224 Remote Security Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/103653 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22013308 ∗∗∗ IBM Security Bulletin: A vulnerability in Open Source Bind affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014266 ∗∗∗ IBM Security Bulletin: Potential spoofing attack in Liberty for Java for IBM Cloud (CVE-2017-1788) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015292 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM HTTP Server used by IBM WebSphere Application Server which is shipped with IBM PureApplication System (CVE-2017-12618) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011238 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Oracle Java SE affect IBM Spectrum Protect™ Plus ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014937 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK that affect IBM PureApplication System ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015284 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational Synergy ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015161 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center and Client Management Service (CVE-2017-10295, CVE-2017-10355, CVE-2017-10356) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013492 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the IBM Spectrum Protect Server (CVE-2017-10295, CVE-2017-10355) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013493 ∗∗∗ IBM Security Bulletin: Potential Privilege Escalation and Information disclosure affect IBM WebSphere Application Server in IBM Cloud (CVE-2017-1731, CVE-2017-1741) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014721 ∗∗∗ IBM Security Bulletin: IBM Distributed Marketing Could Allow an Authenticated but Unauthorized User with Special Access to Change Security Policies (CVE-2017-1109) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015044 ∗∗∗ IBM Security Bulletin: IBM SPSS Statistics is affected by multiple GSKit vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015252 ∗∗∗ IBM Security Bulletin: XML External Entity Injection (XXE) Vulnerability Impacts IBM Campaign (CVE-2015-0254) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015263 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for ACH Services, Financial Transaction Manager for Check Services, and Financial Transaction Manager for Corporate Payment Services for ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014821 ∗∗∗ IBM Security Bulletin: Denial of Service in Apache CXF used by Liberty for Java for IBM Cloud (CVE-2017-12624) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015296 ∗∗∗ IBM Security Bulletin: Information Disclosure in IBM HTTP Server and Denial of Service in Apache CXF used by IBM WebSphere Application Server for IBM Cloud (CVE-2017-12613, CVE-2017-12624) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015297 ∗∗∗ FreeBSD IPsec AH Option Header Infinite Loop Lets Remote Users Cause the Target System to Crash ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040628 ∗∗∗ HPE integrated Lights Out (iLO) TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040630 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2018
by Daily end-of-shift report 04 Apr '18

04 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-04-2018 18:00 − Mittwoch 04-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Intel Admits It Wont Be Possible to Fix Spectre (V2) Flaw in Some Processors ∗∗∗ --------------------------------------------- As speculated by the researcher who disclosed Meltdown and Spectre flaws in Intel processors, some of the Intel processors will not receive patches for the Spectre (variant 2) side-channel analysis attack In a recent microcode revision guidance (PDF), Intel admits that it would not be possible to address the Spectre design flaw in its specific old CPUs, because it requires changes to the --------------------------------------------- https://thehackernews.com/2018/04/intel-spectre-vulnerability.html ∗∗∗ Pocket cryptofarms - Investigating mobile apps for hidden mining ∗∗∗ --------------------------------------------- We've noticed that attackers no longer limit themselves to servers, desktops, and laptops. They are increasingly drawn to mobile devices, mainly Android. We decided to take a closer look to see which mobile apps stealthily mine digital coins on user devices and how widespread they are. --------------------------------------------- https://securelist.com/pocket-cryptofarms/85137/ ∗∗∗ BSI warnt vor Sicherheitslücken in iTunes für Windows ∗∗∗ --------------------------------------------- Apples Medienverwaltung enthält mehrere kritische Fehler – nicht nur in der enthaltenen Browser-Engine WebKit. Sicherheits-Bugs stecken auch in der iCloud-Unterstützung für Windows. --------------------------------------------- https://heise.de/-4010622 ∗∗∗ Nvidia patcht mehrere Lücken in GPU-Treibern ∗∗∗ --------------------------------------------- Lücken in mehreren Nvidia-Grafikkartentreibern können unter anderem für die Code-Ausführung aus der Ferne missbraucht werden. Gepatchte Versionen stehen zum Download bereit. --------------------------------------------- https://www.heise.de/-4010707 ∗∗∗ LockCrypt ransomware: weakness in code can lead to recovery ∗∗∗ --------------------------------------------- A lesser-known variant called LockCrypt ransomware has been creeping around under the radar since June 2017. We take a look inside its code and expose its flaws. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2018/04/lockcrypt-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Malware Protection Engine: Sicherheitsupdate behebt kritische Schwachstelle ∗∗∗ --------------------------------------------- Am 03.04.18 hat Microsoft ein Update zur Behebung des kritischen Fehlers CVE-2018-0986 in der hauseigenen Antiviren-Software (Microsoft Malware Protection Engine) benutzt in zum Beispiel Windows Defender, Microsoft Security Essentials, Microsoft Intune Endpoint, Microsoft Forefront Endpoint 2010 sowie in Exchange Server 2013 und 2016 unter den Systemen Windows 7 bis Windows 10 beziehungsweise [...] --------------------------------------------- http://www.cert.at/services/blog/20180404151337-2161.html ∗∗∗ Siemens Building Technologies Products ∗∗∗ --------------------------------------------- This advisory includes mitigations for a series of vulnerabilities in Siemens Building Technologies Products, including stack-based buffer overflows, security features, improper restriction of operations within the bounds of a memory buffer, NULL pointer deference, XML entity expansion, heap-based buffer overflow, and improper access control. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-093-01 ∗∗∗ USN-3618-1: LibVNCServer vulnerability ∗∗∗ --------------------------------------------- LibVNCServer could be made to crash, expose sensitive information, or run programs if it received specially crafted network traffic. [...] It was discovered that LibVNCServer incorrectly handled certain packetlengths. A remote attacker able to connect to a LibVNCServer could possiblyuse this issue [...] --------------------------------------------- https://usn.ubuntu.com/3618-1/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, ldap-account-manager, and openjdk-7), Fedora (libuv and nodejs), Gentoo (glibc and libxslt), Mageia (acpica-tools, openssl, and php), SUSE (clamav, coreutils, and libvirt), and Ubuntu (kernel, libraw, linux-hwe, linux-gcp, linux-oem, and python-crypto). --------------------------------------------- https://lwn.net/Articles/750902/ ∗∗∗ IBM Security Bulletin: This Power Hardware Management Console (HMC) update is being released to address Common Vulnerabilities and Exposures issue numbers CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 (known as Spectre and Meltdown). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022442 ∗∗∗ Cacti Input Validation Flaw in get_current_page() Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040620 ∗∗∗ WordPress 4.9.5 Security and Maintenance Release ∗∗∗ --------------------------------------------- https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2018
by Daily end-of-shift report 03 Apr '18

03 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-03-2018 18:00 − Dienstag 03-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Java Deserialization Attack Against Windows, (Tue, Apr 3rd) ∗∗∗ --------------------------------------------- Recently we talked a lot about attacks exploiting Java deserialization vulnerabilties in systems like Apache SOLR and WebLogic. Most of these attacks targeted Linux/Unix systems. But recently, I am seeing more attacks that target windows. For example: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/23513 ∗∗∗ Sicherheitslücke in Apple Mail erlaubte Mitlesen verschlüsselter Nachrichten ∗∗∗ --------------------------------------------- Mit macOS 10.13.4 behebt der Mac-Hersteller einen Bug, über den Angreifer im lokalen Netz an Inhalte von mit S/MIME gesicherter Post gelangen konnten. Ob frühere Betriebssysteme weiterhin betroffen sind, bleibt unklar. --------------------------------------------- https://heise.de/-4009761 ∗∗∗ Fake-Profile sammeln auf Facebook Telefonnummern ∗∗∗ --------------------------------------------- Kriminelle erstellen auf Facebook Fake-Profile und geben sich so als Freund oder Freundin möglicher Opfer aus. Anschließend versuchen sie an die Telefonnummer der Betroffenen zu kommen, um Einkäufe über deren Mobilfunkrechnung tätigen zu können. Wer in die Falle tappt, verliert sein Geld. --------------------------------------------- https://www.watchlist-internet.at/news/fake-profile-sammeln-auf-facebook-te… ∗∗∗ iPhone X-Gewinnspiel kostet 89 Euro im Monat ∗∗∗ --------------------------------------------- Für die Teilnahme an einem iPhone X-Gewinnspiel auf braingamemasters.com sollen Konsumenten monatlich 89 Euro bezahlen. Der Betrag wird für eine Mitgliedschaft für das Spiel Trainyourbrainskils in Rechnung gestellt. Konsumenten müssen den Betrag nicht bezahlen, denn dafür gibt es keinen Rechtsgrund. --------------------------------------------- https://www.watchlist-internet.at/news/iphone-x-gewinnspiel-kostet-89-euro-… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Moxa AWK-3131A Multiple Features Login Username Parameter OS Command Injection Vulnerability ∗∗∗ --------------------------------------------- This vulnerability is discovered by Patrick DeSantis and Dave McDaniel of Cisco TalosToday, Talos is disclosing TALOS-2017-0507 (CVE-2017-14459), a vulnerability that has been identified in Moxa AWK-3131A industrial wireless access point. --------------------------------------------- http://blog.talosintelligence.com/2018/04/vulnerability-spotlight-moxa-awk-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot, irssi, libevt, libvncserver, mercurial, mosquitto, openssl, python-django, remctl, rubygems, and zsh), Fedora (acpica-tools, dovecot, firefox, ImageMagick, mariadb, mosquitto, openssl, python-paramiko, rubygem-rmagick, and thunderbird), Mageia (flash-player-plugin and squirrelmail), Slackware (php), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/750759/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (beep and jruby), Fedora (libvncserver), and Ubuntu (openjdk-7 and openjdk-8). --------------------------------------------- https://lwn.net/Articles/750829/ ∗∗∗ 21 IBM Security Advisories 2018-04-03 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ [webapps] osCommerce 2.3.4.1 - Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/44374/?rss ∗∗∗ Security Advisory - Multiple Buffer Overflow Vulnerabilities in Bastet of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170405-… ∗∗∗ Security Advisory - MITM Vulnerability in Huawei Themes App in Some Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170908-… ∗∗∗ Security Advisory - CPU Vulnerabilities Meltdown and Spectre ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180106-… ∗∗∗ Android Security Bulletin - April 2018 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2018-04-01.html ∗∗∗ Linux kernel vulnerability CVE-2017-17448 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01043241 ∗∗∗ Apache Commons FileUpload vulnerability CVE-2016-1000031 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K25206238 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2018
by Daily end-of-shift report 30 Mar '18

30 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-03-2018 18:00 − Freitag 30-03-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 10 Steps to Avoid Insecure Deserialization ∗∗∗ --------------------------------------------- You might think that your applications are secure and safe from prying eyes, but hackers are using ever more sophisticated methods to capture your user data over the Internet. We will explore some of the most common insecure deserialization methods that have been uncovered recently, and look at 10 steps that can be implemented [...] --------------------------------------------- http://resources.infosecinstitute.com/10-steps-avoid-insecure-deserializati… ∗∗∗ How to Identify and Mitigate XXE Vulnerabilities ∗∗∗ --------------------------------------------- Security vulnerabilities that are created through the serialization of sensitive data are well known, yet some developers are still falling into this trap. We will look at some basic web application safeguards that you can employ to keep your applications hardened against this growing threat. To help understand this growing problem, we will turn [...] --------------------------------------------- http://resources.infosecinstitute.com/identify-mitigate-xxe-vulnerabilities/ ∗∗∗ ENISA publishes the first comprehensive study on cyber Threat Intelligence Platforms ∗∗∗ --------------------------------------------- ENISA has released the first comprehensive study on cyber Threat Intelligence Platforms (TIPs) focused on the needs of consumers, users, developers, vendors and the security research community. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-first-study-on-… ===================== = Vulnerabilities = ===================== ∗∗∗ Philips iSite/IntelliSpace PACS Vulnerabilities ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for vulnerabilities identified in the Philips Philips iSite and IntelliSpace PACS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-088-01 ∗∗∗ WAGO 750 Series ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper resource shutdown or release vulnerability in the WAGO 750 series PLC. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-088-01 ∗∗∗ Siemens TIM 1531 IRC ∗∗∗ --------------------------------------------- This advisory includes mitigations for an incorrect implementation of authentication algorithm vulnerability in the Siemens TIM 1531 IRC communications modules. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-088-02 ∗∗∗ Siemens SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional, and SIMATIC NET PC Software ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper input validation vulnerability in the Siemens SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional, and SIMATIC NET PC Software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-088-03 ∗∗∗ Apple Releases Multiple Security Updates ∗∗∗ --------------------------------------------- Original release date: March 29, 2018 Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.NCCIC/US-CERT encourages users and administrators to review Apple security pages for the following products and apply the necessary updates:iOS 11.3, tvOS 11.3, watchOS 4.3, Xcode 9.3 [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/03/29/Apple-Releases-Mul… ∗∗∗ Kritische Sicherheitslücke in Microsoft Windows - Patch verfügbar ∗∗∗ --------------------------------------------- Microsoft hat ein Security Advisory sowie ein Sicherheitsupdate dazu ausserhalb des normalen Patch-Zyklus veröffentlicht. Der Bug ermöglicht einem Angreifer durch eine Privilege Escalation beliebigen Code mit Kernel Rechten auszuführen. CVE: CVE-2018-1038 Details: Durch Ausnutzen der Lücke kann ein Angreifer höhere Rechte auf betroffenen Systemen erlangen, und [...] --------------------------------------------- http://www.cert.at/warnings/all/20180330.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (memcached, openssl, openssl1.0, php5, thunderbird, and xerces-c), Fedora (python-notebook, slf4j, and unboundid-ldapsdk), Mageia (kernel, libvirt, mailman, and net-snmp), openSUSE (aubio, cacti, cacti-spine, firefox, krb5, LibVNCServer, links, memcached, and tomcat), Slackware (ruby), SUSE (kernel and python-paramiko), and Ubuntu (intel-microcode). --------------------------------------------- https://lwn.net/Articles/750573/ ∗∗∗ IBM Security Bulletin: IBM Web Experience Factory is Affected by an Apache Poi Vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014912 ∗∗∗ IBM Security Bulletin: IBM Aspera Platform On Demand, IBM Aspera Server On Demand, IBM Aspera Faspex On Demand, IBM Aspera Shares On Demand, IBM Aspera Transfer Cluster Manager is affected by the vulnerabilities known as Spectre and Meltdown. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22012643 ∗∗∗ IBM Security Bulletin: Potential spoofing attack in IBM WebSphere Application Server in IBM Cloud (CVE-2017-1788) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014798 ∗∗∗ IBM Security Bulletin: IBM MobileFirst Platform Foundation is vulnerable to cross-site scripting (CVE-2017-1772) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000369 ∗∗∗ IBM Security Bulletin: OpenSource Apache ActiveMQ vulnerabilities identified with IBM Tivoli Integrated Portal (TIP) v2.2 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014179 Next End-of-Day report: 2018-04-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2018
by Daily end-of-shift report 29 Mar '18

29 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-03-2018 18:00 − Donnerstag 29-03-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Total Meltdown? ∗∗∗ --------------------------------------------- Did you think Meltdown was bad? Unprivileged applications being able to read kernel memory at speeds possibly as high as megabytes per second was not a good thing. Meet the Windows 7 Meltdown patch from January. It stopped Meltdown but opened up a vulnerability way worse [...] --------------------------------------------- https://blog.frizk.net/2018/03/total-meltdown.html ∗∗∗ Warnung vor Travel Planet Amsterdam ∗∗∗ --------------------------------------------- Urlauber/innen finden auf Travel Planet Amsterdam (travelplanetamsterdam.com) günstige Unterkünfte. Sie sind von fremden Websites kopiert und in Wahrheit nicht bei dem Anbieter buchbar. Die Unterkünfte sollen Reisende vorab bezahlen. Das Geld ist verloren, denn Travel Planet Amsterdam ist ein betrügerischer Anbieter, der keine Leistung erbringt. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-travel-planet-amsterdam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Angreifer könnten Firefox und Tor Browser lahmlegen ∗∗∗ --------------------------------------------- Die Entwickler haben die Lücke in Firefox 59.0.2, Firefox ESR 52.7.3 und Tor Browser 7.5.3 geschlossen. Alle vorigen Ausgaben sind bedroht. Angriffe sollen aus der Ferne ohne Authentifizierung möglich sein. Das von der Schwachstelle ausgehende Risiko gilt als "hoch". --------------------------------------------- https://heise.de/-4007839 ∗∗∗ Citrix XenServer 7.2 Multiple Security Updates ∗∗∗ --------------------------------------------- A number of security issues have been identified within Citrix XenServer 7.2 which could, if exploited, allow a malicious man-in-the-middle (MiTM) attacker on the management network to decrypt management traffic. Collectively, this has been rated as a medium severity vulnerability; the following issues have been remediated: CVE-2016-2107 CVE-2016-2108 --------------------------------------------- https://support.citrix.com/article/CTX233832 ∗∗∗ Sicherheitslücken (teils kritisch) in Cisco IOS, Cisco IOS XE und Cisco IOS XR Software - Patches verfügbar ∗∗∗ --------------------------------------------- Sicherheitslücken (teils kritisch) in Cisco IOS, Cisco IOS XE und Cisco IOS XR Software - Patches verfügbar 29. März 2018 Beschreibung Cisco hat 20 Security Advisories zu teils kritischen Sicherheitslücken in Cisco IOS, Cisco IOS XE und Cisco IOS XR Software veröffentlicht. Drei der Schwachstellen werden mit einem CVSS Base Score von 9.8 als kritisch eingestuft: ... --------------------------------------------- http://www.cert.at/warnings/all/20180329-2.html ∗∗∗ Kritische Sicherheitslücke in Drupal - Updates verfügbar ∗∗∗ --------------------------------------------- Kritische Sicherheitslücke in Drupal - Updates verfügbar 29. März 2018 Beschreibung In der verbreiteten CMS-Software Drupal ist eine kritische Sicherheitslücke entdeckt worden. Durch Ausnutzung dieses Fehlers kann auf betroffenen Systemen beliebiger Code (mit den Rechten des Webserver-Users) ausgeführt werden. CVE-Nummer: CVE-2018-7600 --------------------------------------------- http://www.cert.at/warnings/all/20180329.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7, graphicsmagick, libdatetime-timezone-perl, thunderbird, and tzdata), Fedora (gd, libtiff, mozjs52, and nmap), Gentoo (thunderbird), Red Hat (openstack-tripleo-common, openstack-tripleo-heat-templates and sensu), SUSE (kernel, libvirt, and memcached), and Ubuntu (icu, librelp, openssl, and thunderbird). --------------------------------------------- https://lwn.net/Articles/750432/ ∗∗∗ Bugtraq: CA20180328-01: Security Notice for CA API Developer Portal ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541902 ∗∗∗ IBM Security Bulletin: IBM SPSS Statistics is affected by an Apache Poi vulnerability (CVE-2017-12626) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015075 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000372 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2017-10295, CVE-2017-10345, CVE-2017-10355, CVE-2017-10356) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22013651 ∗∗∗ IBM Security Bulletin: IBM MQ Clients can send a specially crafted message that could cause a channel to SIGSEGV. (CVE-2017-1747) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012992 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect MegaRAID Storage Manager (CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099794 ∗∗∗ cURL and libcurl vulnerability CVE-2017-2628 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35453761 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2018
by Daily end-of-shift report 28 Mar '18

28 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-03-2018 18:00 − Mittwoch 28-03-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Many VPN Providers Leak Customers IP Address via WebRTC Bug ∗∗∗ --------------------------------------------- Around 20% of todays top VPN solutions are leaking the customers IP address via a WebRTC bug known since January 2015, and which apparently some VPN providers have never heard of. --------------------------------------------- https://www.bleepingcomputer.com/news/security/many-vpn-providers-leak-cust… ∗∗∗ 10 Best Practices for Mobile App Penetration Testing ∗∗∗ --------------------------------------------- Penetration testing is one of the best ways to thoroughly check your defense perimeters for security weaknesses. Pentesting can be used across the entire spectrum of an IT infrastructure, including network, web application and database security. But today [...] --------------------------------------------- http://resources.infosecinstitute.com/10-best-practices-mobile-app-penetrat… ∗∗∗ How to Set Up a Web App Pentesting Lab in 4 Easy Steps ∗∗∗ --------------------------------------------- A pentesting lab can be a small entity used by one security tester, consisting of one or two computers; or it could be a larger set of networked computers behind a closed or secured network, used by a group of security testers. --------------------------------------------- http://resources.infosecinstitute.com/set-web-app-pentesting-lab-4-easy-ste… ∗∗∗ Security baseline for Windows 10 v1803 “Redstone 4” – DRAFT ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the draft release of the security configuration baseline settings for the upcoming Windows 10 version 1803, codenamed "Redstone 4." Please evaluate this proposed baseline and send us your feedback via blog comments below. Download the content here: DRAFT-Windows-10-v1803-RS4 The downloadable attachment to this blog post includes importable GPOs, scripts for applying [...] --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2018/03/27/security-baseline-f… ∗∗∗ Unmasking Monero: stripping the currency’s privacy protection ∗∗∗ --------------------------------------------- The features that make blockchains trustworthy may leave them vulnerable to retrospective action. --------------------------------------------- https://nakedsecurity.sophos.com/2018/03/28/unmasking-monero-stripping-the-… ∗∗∗ TA18-086A: Brute Force Attacks Conducted by Cyber Actors ∗∗∗ --------------------------------------------- [...] According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad. On February 2018 [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA18-086A ∗∗∗ Legacy technologies as a threat to EU's telecommunications infrastructure ∗∗∗ --------------------------------------------- EU level assessment of the current sets of protocols used in interconnections in telecommunications (SS7, Diameter). --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/legacy-technologies-as-a-threat… ∗∗∗ Internet Ombudsmann und Watchlist Internet Jahresbericht 2017 ∗∗∗ --------------------------------------------- Der Internet Ombudsmann informiert auf der Watchlist Internet über Internet-Betrug, Fallen und Fakes. Die Watchlist Internet verfolgt das Ziel, Leser/innen dabei zu helfen, dass sie Verbrechensversuche erkennen und keine Opfer von Cybercrime werden. Im vergangenen Jahr 2017 verfügte die Watchlist Internet über 906 redaktionelle Beiträge und verzeichnete 1,45 Millionen Seitenaufrufe. --------------------------------------------- https://www.watchlist-internet.at/news/internet-ombudsmann-und-watchlist-in… ∗∗∗ Betrügerische Mahnungen von Prolex Inkasso ∗∗∗ --------------------------------------------- Konsument/innen erhalten im Auftrag von unseriösen Streaming-Plattformen eine Mahnung von Prolex Inkasso. Darin heißt es, dass Empfänger/innen ihre offenen Rechnungen nicht beglichen haben. Deshalb sollen sie 467,16 Euro an Prolex zahlen. Die Mahnung ist betrügerisch, eine Zahlungspflicht besteht nicht. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mahnungen-von-prolex-… ===================== = Vulnerabilities = ===================== ∗∗∗ Apples Festplattendienstprogramm "Disk Util.app" von macOS 10.13 High Sierra kann Passwort von verschlüsselten APFS-Dateisystemen offenlegen ∗∗∗ --------------------------------------------- Die Ausnutzung der Schwachstelle ermöglicht es einem lokalen Angreifer mit Administratorrechten und Zugriff auf das System-Log mit Besitz des externen Datenträgers das verschlüsselte APFS-Dateisystem zu entschlüsseln. Alle Nutzer des Festplattenprogramms sollten auf Ihren Systemen die neueste Version installieren, sobald diese zur Verfügung steht. Bis dahin sollten die Nutzer [...] --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2018/03/warn… ∗∗∗ Schneider Electric Modicon Premium, Modicon Quantum, Modicon M340, and Modicon BMXNOR0200 ∗∗∗ --------------------------------------------- This advisory includes mitigations for several vulnerabilities in the Schneider Electric Modicon Premium, Modicon Quantum, Modicon M340, and Modicon BMXNOR0200 PLCs. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-086-01 ∗∗∗ Philips Alice 6 Vulnerabilities ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for improper authentication and missing data encryption vulnerabilities identified in the Philips Alice 6 System product. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-086-01 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (slf4j), Debian (firefox-esr, mupdf, net-snmp, and samba), Fedora (apache-commons-compress, calibre, chromium, glpi, kernel, libvncserver, libvorbis, mozjs52, ntp, slurm, sqlite, and wireshark), openSUSE (librelp), SUSE (librelp, LibVNCServer, and qemu), and Ubuntu (firefox and zsh). --------------------------------------------- https://lwn.net/Articles/750291/ ∗∗∗ Vuln: ImageMagick CVE-2018-8960 Heap Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/103523 ∗∗∗ Security Advisory - Improper Authorization Vulnerability on Huawei Switch Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180328-… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK Affect IBM B2B Advanced Communications ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014642 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSH affects IBM DataPower Gateways (CVE-2017-15906) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014534 ∗∗∗ IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2017-1654) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012162 ∗∗∗ RSA Authentication Agent for Web Multiple Flaws Let Remote Users Deny Service and Conduct Cross-Site Scripting Attacks and Let Local Users Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040577 ∗∗∗ [R1] Tenable Appliance 4.7.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2018
by Daily end-of-shift report 27 Mar '18

27 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Montag 26-03-2018 18:00 − Dienstag 27-03-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Academics Discover New CPU Side-Channel Attack Named BranchScope ∗∗∗ --------------------------------------------- A team of academics from four US universities have discovered a new side-channel attack that takes advantage of the speculative execution feature in modern processors to recover data from users CPUs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/academics-discover-new-cpu-s… ∗∗∗ Exploit kit development has gone to sh$t... ever since Adobe Flash was kicked to the curb ∗∗∗ --------------------------------------------- Coinkidink? Nah. Crooks are switching tactics There was a big drop in exploit kit development last year, and experts have equated this to the phasing out of Adobe Flash. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/03/27/exploit_kit… ∗∗∗ E-Mail-Verschlüsselung: Enigmail 2.0 ist da ∗∗∗ --------------------------------------------- Mit der neuen Enigmail-Version 2.0 für den Mail-Client Thunderbird kann man unter anderem neben Text in Mails nun auch die Betreffzeile verschlüsseln. --------------------------------------------- https://heise.de/-4005589 ∗∗∗ The Last Windows XP Security White Paper ∗∗∗ --------------------------------------------- Using the strategies and procedures we present in our paper could help prevent an attacker from taking control of your computer --------------------------------------------- https://www.welivesecurity.com/2018/03/27/last-windows-xp-security-white-pa… ===================== = Vulnerabilities = ===================== ∗∗∗ Mozilla Releases Security Updates for Firefox ∗∗∗ --------------------------------------------- Original release date: March 27, 2018 Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to cause a denial-of-service condition. NCCIC/US-CERT encourages users and administrators to review the Mozilla Security Advisory for Firefox 59.0.2 and Firefox ESR 52.7.3 and apply the necessary updates. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/03/27/Mozilla-Releases-S… ∗∗∗ 2018-02-06 (updated 2018-03-27): Vulnerability in MicroSCADA Pro SYS600 9.x - Improper Access Control ∗∗∗ --------------------------------------------- 3.2.2018 Original document, 16.3.2018 Fix for SYS600 9.3 systems is available. Clarified file system permissions for created Windows groups, see FAQ. --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=1MRS257731&LanguageC… ∗∗∗ OpenSSL Security Advisory [27 Mar 2018] ∗∗∗ --------------------------------------------- Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733) rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) --------------------------------------------- https://openssl.org/news/secadv/20180327.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, irssi, and librelp), Gentoo (busybox and plib), Mageia (exempi and jupyter-notebook), openSUSE (clamav, dhcp, nginx, python-Django, python3-Django, and thunderbird), Oracle (slf4j), Red Hat (slf4j), Scientific Linux (slf4j), Slackware (firefox), SUSE (librelp), and Ubuntu (screen-resolution-extra). --------------------------------------------- https://lwn.net/Articles/750207/ ∗∗∗ Bugtraq: Microsoft Skype Mobile v81.2 & v8.13 - Remote Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541897 ∗∗∗ DFN-CERT-2018-0574: Librelp: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0574/ ∗∗∗ DFN-CERT-2018-0573: Jenkins-Plugins: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0573/ ∗∗∗ DFN-CERT-2018-0575: Sophos UTM: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0575/ ∗∗∗ DFN-CERT-2018-0581: Apache Struts: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0581/ ∗∗∗ Security Notice - Statement on Command Injection Vulnerability in Huawei HG655m Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2018/huawei-sn-20180327-01-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099782 ∗∗∗ IBM Security Bulletin: ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027315 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014717 ∗∗∗ IBM Security Bulletin: IBM B2B Advanced Communications is Affected by an XML External Entity Injection (XXE) Attack when Processing XML Data ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014656 ∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Security Privileged Identity Manager is affected by sensitive information in page comments vulnerability (CVE-2017-1705) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014988 ∗∗∗ NTP vulnerability CVE-2018-7184 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13540723 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2018
by Daily end-of-shift report 26 Mar '18

26 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-03-2018 18:00 − Montag 26-03-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Microsoft unterbindet RDP-Anfragen von ungepatchten Clients ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in Microsofts Credential Security Support Provider versetzt Angreifer in die Lage, beliebigen Code auszuführen. Deswegen unterbindet das Unternehmen demnächst Verbindungsversuche ungepatchter Clients, Admins sollten also schnell handeln. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-microsoft-unterbindet-rdp-anfra… ∗∗∗ Threat Landscape for Industrial Automation Systems in H2 2017 ∗∗∗ --------------------------------------------- Kaspersky Lab ICS CERT publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017. The main objective of these publications is to provide information support to incident response teams, enterprise information security staff and researchers in the area of industrial facility security. --------------------------------------------- http://securelist.com/threat-landscape-for-industrial-automation-systems-in… ∗∗∗ KVA Shadow: Mitigating Meltdown on Windows ∗∗∗ --------------------------------------------- On January 3rd, 2018, Microsoft released an advisory and security updates that relate to a new class of discovered hardware vulnerabilities, termed speculative execution side channels, that affect the design methodology and implementation decisions behind many modern microprocessors. This post dives into the technical details of Kernel Virtual Address (KVA) Shadow which is the Windows [...] --------------------------------------------- https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-me… ∗∗∗ Adding Backdoors at the Chip Level ∗∗∗ --------------------------------------------- Interesting research into undetectably adding backdoors into computer chips during manufacture: "Stealthy dopant-level hardware Trojans: extended version," also available here:Abstract: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing [...] --------------------------------------------- https://www.schneier.com/blog/archives/2018/03/adding_backdoor.html ∗∗∗ Web Application Penetration Testing Cheat Sheet ∗∗∗ --------------------------------------------- This cheatsheet is intended to run down the typical steps performed when conducting a web application penetration test. I will break these steps down into sub-tasks and describe the tools I recommend using at each level. --------------------------------------------- https://jdow.io/blog/2018/03/18/web-application-penetration-testing-methodo… ∗∗∗ Gefälschte A1-Mail fordert SIM-Karten-Aktualisierung ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte A1-Nachricht. Darin fordern sie Kund/innen dazu auf, dass sie ihre SIM-Karten-Details aktualisieren. Das soll auf einer gefälschten A1-Website geschehen. Kund/innen, die der Aufforderung nachkommen, übermitteln sensible Informationen an Kriminelle und werden Opfer eines Datendiebstahls. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-a1-mail-fordert-sim-kart… ∗∗∗ Achtung vor gefälschter Klarna-Rechnung! ∗∗∗ --------------------------------------------- Unter dem Betreff "Offene Rechnung von Klarna" versenden Kriminelle gefälschte Rechnungen. EmpfängerInnen werden in der E-Mail aufgefordert eine angehängte ZIP-Datei zu öffnen, um weiterführende Informationen zu offenen Beträgen zu erhalten. Die ZIP-Datei enthält jedoch Schadsoftware, Betroffene dürfen die Datei daher nicht öffnen und sollten die E-Mail löschen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-gefaelschter-klarna-rech… ∗∗∗ Forgot About Default Accounts? No Worries, GoScanSSH Didn’t ∗∗∗ --------------------------------------------- This blog post was authored by Edmund Brumaghin, Andrew Williams, and Alain Zidouemba.Executive SummaryDuring a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. --------------------------------------------- http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html ∗∗∗ One Year Later, Hackers Still Target Apache Struts Flaw ∗∗∗ --------------------------------------------- One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers. The vulnerability in question, tracked as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The security hole was addressed on March 6, 2017 with the release of versions 2.3.32 and 2.5.10.1. The bug, caused due to improper handling of the Content-Type header, can be [...] --------------------------------------------- https://www.securityweek.com/one-year-later-hackers-still-target-apache-str… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bchunk, thunderbird, and xerces-c), Debian (freeplane, icu, libvirt, and net-snmp), Fedora (monitorix, php-simplesamlphp-saml2, php-simplesamlphp-saml2_1, php-simplesamlphp-saml2_3, puppet, and qt5-qtwebengine), openSUSE (curl, libmodplug, libvorbis, mailman, nginx, opera, python-paramiko, and samba, talloc, tevent), Red Hat (python-paramiko, rh-maven35-slf4j, rh-mysql56-mysql, rh-mysql57-mysql, rh-ruby22-ruby, rh-ruby23-ruby, and [...] --------------------------------------------- https://lwn.net/Articles/750150/ ∗∗∗ Bugtraq: Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541891 ∗∗∗ Norton App Lock Authentication Bypass ∗∗∗ --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… ∗∗∗ DFN-CERT-2018-0566: Nmap: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0566/ ∗∗∗ DFN-CERT-2018-0569: Moodle: Zwei Schwachstellen ermöglichen u.a. einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0569/ ∗∗∗ DFN-CERT-2018-0571: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0571/ ∗∗∗ DFN-CERT-2018-0570: Apache Software Foundation HTTP-Server (httpd): Mehrere Schwachstellen ermöglichen u.a. die Manipulation von Sitzungsdaten ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0570/ ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in Business Space affects IBM Business Process Manager, WebSphere Process Server, and WebSphere Enterprise Service Bus (CVE-2018-1384) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012604 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (CVE-2017-1767) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012396 ∗∗∗ IBM Security Bulletin: Potential information leakage in IBM Business Process Manager (CVE-2017-1756) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010796 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability affects Rational Engineering Lifecycle Manager ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014831 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2018
by Daily end-of-shift report 23 Mar '18

23 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-03-2018 18:00 − Freitag 23-03-2018 18:00 Handler: Robert Waldner Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Wichtige Updates sichern GitLab ab ∗∗∗ --------------------------------------------- Wer Software-Projekte über GitLab verwaltet, sollte zügig die aktuellen Sicherheitspatches installieren. Sonst könnten Angreifer eventuell Schadcode ausführen. --------------------------------------------- https://www.heise.de/meldung/Wichtige-Updates-sichern-GitLab-ab-4002151.html ∗∗∗ Atlanta: Kryptotrojaner trifft Stadtverwaltung ∗∗∗ --------------------------------------------- Die US-Metropole Atlanta wurde von einem Kryptotrojaner getroffen, der Teile des Computernetzes der Stadtregierung lahmgelegt hat. Derzeit versuchen das FBI und das Heimatschutzministerium, das Problem zu beheben. --------------------------------------------- https://www.heise.de/meldung/Atlanta-Kryptotrojaner-trifft-Stadtverwaltung-… ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens SIMATIC WinCC OA UI Mobile App ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper access control vulnerability in the Siemens WinCC OA UI mobile app for Android and IOS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-081-01 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services for Multiplatforms ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014820 ∗∗∗ IBM Security Bulletin: There are potential Cross Site Scripting (XSS) vulnerabilities in the Duplicate Detect component in Financial Transaction Manager (FTM) for Check Services (CVE-2018-1390) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014795 ∗∗∗ IBM Security Bulletin: IBM API Connect has released 5.0.8.2 iFix in response to the vulnerabilities known as Spectre and Meltdown. ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014530 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2018
by Daily end-of-shift report 22 Mar '18

22 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-03-2018 18:00 − Donnerstag 22-03-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 10 Steps to Detect Lateral Movement in a Data Breach ∗∗∗ --------------------------------------------- Many enterprises spend millions of dollars on solutions that promise to bolster their security. However, much less focus is placed on the ability to detect lateral movement during a breach. --------------------------------------------- http://resources.infosecinstitute.com /10-steps-detect-lateral-movement-data-breach/ ∗∗∗ Siri plaudert geheime Nachrichten von iPhone-Nutzern aus ∗∗∗ --------------------------------------------- Neu entdeckter Bug unterwandert zentrale Sicherheitssperren des Apple-Smartphones --------------------------------------------- http://derstandard.at/2000076603171 ===================== = Vulnerabilities = ===================== ∗∗∗ Bugtraq: ModSecurity WAF 3.0 for Nginx - Denial of Service ∗∗∗ --------------------------------------------- During one of the engagements my team tested a WAF running in production Nginx + ModSecurity + OWASP Core Rule Set. In the system logs I found information about the Nginx worker processes being terminated due to memory corruption errors. --------------------------------------------- http://www.securityfocus.com/archive/1/541886 ∗∗∗ JSON API - Moderately critical - Access Bypass - SA-CONTRIB-2018-016 ∗∗∗ --------------------------------------------- This module provides a JSON API standards-compliant API for accessing and manipulating Drupal content and configuration entities. The module doesn't sufficiently check access when viewing related resources or relationships, thereby causing an access bypass vulnerability. --------------------------------------------- https://www.drupal.org/sa-contrib-2018-016 ∗∗∗ DFN-CERT-2018-0557/">Oracle Solaris: Mehrere Schwachstellen ermöglichen verschiedene Denial-of-Service-Angriffe ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in ISC BIND, ISC DHCP und Wireshark für Oracle Solaris 11.3 ermöglichen einem entfernten, nicht authentisierten Angreifer die Durchführung verschiedener Denial-of-Service (DoS)-Angriffe. --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0557/ ∗∗∗ Drupal stellt Sicherheitsupdate für extrem kritische Lücke in Aussicht ∗∗∗ --------------------------------------------- Wer das CMS Drupal einsetzt, sollte sich den 28. März im Kalender markieren, um wichtige Sicherheitsupdates für verschiedene Versionen zu installieren. --------------------------------------------- https://heise.de/-4001063 ∗∗∗ Flaws in ManageEngine apps opens enterprise systems to compromise ∗∗∗ --------------------------------------------- Researchers have discovered multiple severe vulnerabilities in ManageEngine’s line of tools for internal IT support teams, which are used by over half of Fortune 500 companies. About the vulnerabilities The first flaw affects EventLog Analyzer 11.8 and Log360 5.3, and could be exploited to achieve remote code execution with the same privileges as the user that started the application, by uploading a web shell to be written to the web root. --------------------------------------------- https://www.helpnetsecurity.com/2018/03/22/manageengine-apps-flaws/ ∗∗∗ TMM WebSocket vulnerability CVE-2018-5504 ∗∗∗ --------------------------------------------- In some circumstances, the Traffic Management Microkernel (TMM) does not properly handle certain malformed WebSocket requests/responses, which allows remote attackers to cause a denial of service (DoS) or possible remote code execution on the BIG-IP system. (CVE-2018-5504) This vulnerability allows unauthorized remote code execution and disruption of service through an unspecified crafted WebSocket packet. --------------------------------------------- https://support.f5.com/csp/article/K11718033 ∗∗∗ Multiple Wireshark vulnerabilities ∗∗∗ --------------------------------------------- A remote attacker can transmit crafted packets while a BIG-IP administrator account runs the tshark utility with the affected protocol parsers via Advanced Shell (bash). This causes the tshark utility to stop responding and may allow remote code execution from the BIG-IP administrator account. --------------------------------------------- https://support.f5.com/csp/article/K34035645 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (lib32-libvorbis), Debian (exempi and polarssl), Gentoo (collectd and webkit-gtk), openSUSE (postgresql96), SUSE (qemu), and Ubuntu (libvorbis). --------------------------------------------- https://lwn.net/Articles/749958/ ∗∗∗ IBM Security Bulletin: IBM MQ Appliance is affected by a cross-site scripting vulnerability ( CVE-2018-1429). ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014046 ∗∗∗ IBM Security Bulletin: Vulnerability found in OpenSSL release used by Windows and z/OS Security Identity Adapters (CVE-2017-3736) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014629 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099781 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011787 ∗∗∗ IBM Security Bulletin: Vulnerability in GNU C Library affects IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems (CVE-2017-15670) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099788 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by a denial of service vulnerability in cURL (CVE-2017-1000257) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011740 ∗∗∗ IBM Security Bulletin: IBM QRadar Network Security is affected by vulnerabilities in Linux kernel ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011746 ∗∗∗ IBM Security Bulletin: Vulnerability found in OpenSSL release used by Windows and z/OS Security Identity Adapters (CVE-2017-3735) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014628 ∗∗∗ IBM Security Bulletin: IBM Tivoli Netcool Impact is affected by multiple vulnerabilities in IBM Tivoli Integrated Portal (TIP) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014253 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily