=====================
= End-of-Day report =
=====================
Timeframe: Freitag 10-01-2020 18:00 − Montag 13-01-2020 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Citrix CVE-2019-19781 aktiv ausgenutzt ∗∗∗
---------------------------------------------
Ende 2019 wurde eine Sicherheitslücke in diversen Citrix-Geräten bekannt (CVE-2019-19781), die das Ausführen beliebiger Befehle über das Netzwerk ohne jegliche Authentifikation ermöglicht (unauthenticated RCE). Am 10. Jänner 2020 wurde der erste Exploit für diese Lücke auf GitHub veröffentlicht und sie wird (spätestens) seit diesem Zeitpunkt aktiv ausgenutzt.
---------------------------------------------
https://cert.at/de/blog/2020/1/citrix-cve-2019-19781-aktiv-ausgenutzt
∗∗∗ Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark ∗∗∗
---------------------------------------------
The Internet Protocol (IP) is the most widely-used network-level protocol. Common transport-level protocols, the Transport Control Protocol (TCP) and the User Datagram Protocol (UDP), are encapsulated within IP packets. The purpose of IP is to make networks like the internet possible. Within a subnet, it is possible to route traffic [...]
---------------------------------------------
https://resources.infosecinstitute.com/network-traffic-analysis-for-inciden…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (file and firefox), Debian (apache-log4j1.2), Fedora (chromium, dovecot, GraphicsMagick, kubernetes, libvpx, makepasswd, matio, and slurm), Mageia (libtomcrypt, ming, oniguruma, opencv, pcsc-lite, phpmyadmin, and thunderbird), openSUSE (chromium, chromium, re2, and mozilla-nspr, mozilla-nss), Red Hat (chromium-browser, firefox, and rabbitmq-server), Slackware (mozilla), and SUSE (crowbar-core, crowbar-openstack, [...]
---------------------------------------------
https://lwn.net/Articles/809312/
∗∗∗ Security Advisory - Weak Algorithm Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200108-…
∗∗∗ Security Vulnerabilities fixed in Thunderbird 68.4.1 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2020-04/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 09-01-2020 18:00 − Freitag 10-01-2020 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Remote iPhone Exploitation Part 1: Poking Memory via iMessage and CVE-2019-8641 ∗∗∗
---------------------------------------------
This is the first blog post in a three-part series that will detail how a vulnerability in iMessage can be exploited remotely without any user interaction on iOS 12.4 (fixed in iOS 12.4.1 in August 2019). It is essentially a more detailed version of my 36C3 talk from December 2019.
---------------------------------------------
https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-p…
∗∗∗ Windows Debugging & Exploiting Part 3: WinDBG Time Travel Debugging ∗∗∗
---------------------------------------------
Time to start 2020? No better time for writing about the TTD (Time Travel Debugging) feature from WinDBG.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/windows-deb…
=====================
= Vulnerabilities =
=====================
∗∗∗ D-LINK Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗
---------------------------------------------
Betroffene Systeme: D-LINK Router DCS-935L, D-LINK Router DCS-960L
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in D-LINK Routern ausnutzen, um die Kontrolle über das Gerät zu übernehmen.
---------------------------------------------
https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2020/01/warn…
∗∗∗ VMSA-2020-0001 - VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability (CVE-2020-3940) ∗∗∗
---------------------------------------------
VMware Workspace ONE SDK and dependent mobile applications do not properly handle certificate verification failures if SSL Pinning has been enabled in the Workspace ONE UEM Console. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.8.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2020-0001.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ldm and sa-exim), Mageia (firefox), openSUSE (chromium, firefox, and thunderbird), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, firefox, log4j, nodejs10, nodejs12, and openssl-1_0_0), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/809175/
∗∗∗ Mattermost security update 5.18.1 / 5.17.3 / 5.16.5 / 5.9.8 (ESR) released ∗∗∗
---------------------------------------------
We have released a recommended security update via Mattermost Team Edition 5.18.1, 5.17.3, 5.16.5, 5.9.8 (ESR) and Mattermost Enterprise Edition 5.18.1, 5.17.3, 5.16.5, 5.9.8 (ESR). This security update addresses a high level vulnerability discovered during a security research review by Juho Nurminen.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-update-5-18-1-5-17-3-5-16-5…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 08-01-2020 18:00 − Donnerstag 09-01-2020 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ SNAKE Ransomware Is the Next Threat Targeting Business Networks ∗∗∗
---------------------------------------------
Since network administrators didnt already have enough on their plate, they now have to worry about a new ransomware called SNAKE that is targeting their networks and aiming to encrypt all of the devices connected to it [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next…
∗∗∗ A tale of a lesser known NFS privesc ∗∗∗
---------------------------------------------
There are countless online examples of privilege escalation abusing bad NFS configuration. However they all rely on the same prerequisite: that you are able to mount the share from somewhere else. ... But it just so happens that there is another, lesser known local exploit.
---------------------------------------------
https://www.errno.fr/nfs_privesc
∗∗∗ What is the Linux Auditing System (aka AuditD)? ∗∗∗
---------------------------------------------
The Linux Auditing System is a native feature to the Linux kernel that collects certain types of system activity to facilitate incident investigation. ... Our goal is to present a neutral overview of the Linux Auditing System so anyone considering implementing it in their own organization knows what to consider before embarking on their quest and what challenges may lurk ahead.
---------------------------------------------
https://capsule8.com/blog/auditd-what-is-the-linux-auditing-system/
=====================
= Vulnerabilities =
=====================
∗∗∗ Schnell updaten: Sicherheitslücke in Firefox wird aktiv ausgenutzt ∗∗∗
---------------------------------------------
Firefox hat mit Version 72.0.1 ein wichtiges Sicherheitsupdate herausgegeben. Geschlossen wird eine Sicherheitslücke, die bereits aktiv ausgenutzt wird. Gemeldet wurde sie von einer chinesischen Sicherheitsfirma. (Firefox, Browser)
---------------------------------------------
https://www.golem.de/news/schnell-updaten-sicherheitsluecke-in-firefox-wird…
∗∗∗ What is Cable Haunt? ∗∗∗
---------------------------------------------
Cable Haunt is a critical vulnerability found in cable modems from various manufacturers across the world. ... First, access to the vulnerable endpoint is gained through a client on the local network, such as a browser. Secondly the vulnerable endpoint is hit with a buffer overflow attack, which gives the attacker control of the modem. .. list of confirmed vulnerable modems: Sagemcom F@st 3890/3986, Technicolor TC7230, Netgear C6250EMR/CG3700EMR, COMPAL 7284E/7486E
---------------------------------------------
https://cablehaunt.com/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr), Fedora (firefox), Oracle (kernel), Slackware (firefox and kernel), SUSE (apache2-mod_perl, git, java-1_7_0-ibm, java-1_7_1-ibm, log4j, mariadb, and nodejs8), and Ubuntu (gnutls28, graphicsmagick, and nss).
---------------------------------------------
https://lwn.net/Articles/809074/
∗∗∗ CVE-2020-6175 - Citrix SD-WAN Security Update ∗∗∗
---------------------------------------------
An information disclosure vulnerability has been identified in the Citrix SD-WAN Appliance. This vulnerability could allow an unauthenticated attacker to perform a man-in-the-middle attack against management traffic. The vulnerability has been assigned the following CVE number. CVE-2020-6175 – Information Disclosure in Citrix SD-WAN Appliance 10.2.x before 10.2.6 and 11.0.x before 11.0.3
---------------------------------------------
https://support.citrix.com/article/CTX263526
∗∗∗ JSA10979 - 2020-01 Security Bulletin: Junos OS: A specific SNMP command can trigger a high CPU usage Denial of Service in the RPD daemon. (CVE-2020-1600) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10979&actp=RSS
∗∗∗ JSA10980 - 2020-01 Security Bulletin: Junos OS: Upon receipt of certain types of malformed PCEP packets the pccd process may crash. (CVE-2020-1601) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10980&actp=RSS
∗∗∗ JSA10982 - 2020-01 Security Bulletin: Junos OS: Improper handling of specific IPv6 packets sent by clients may cause client devices IPv6 traffic to be black holed, and eventually kernel crash (vmcore) the device. (CVE-2020-1603) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10982&actp=RSS
∗∗∗ JSA10981 - 2020-01 Security Bulletin: Junos OS and Junos OS Evolved: Multiple vulnerabilities in JDHCPD allow for OS command injection and code execution of JDHCPD. ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10981&actp=RSS
∗∗∗ JSA10983 - 2020-01 Security Bulletin: Junos OS: EX4300/EX4600/QFX3500/QFX5100 Series: Stateless IP firewall filter may fail to evaluate certain packets (CVE-2020-1604) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10983&actp=RSS
∗∗∗ JSA10985 - 2020-01 Security Bulletin: Junos OS: Path traversal vulnerability in J-Web (CVE-2020-1606) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10985&actp=RSS
∗∗∗ JSA10986 - 2020-01 Security Bulletin: Junos OS: Cross-Site Scripting (XSS) in J-Web (CVE-2020-1607) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10986&actp=RSS
∗∗∗ JSA10987 - 2020-01 Security Bulletin: Junos OS: MX Series: In BBE configurations, receipt of a specific MPLS or IPv6 packet causes a Denial of Service (CVE-2020-1608) ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10987&actp=RSS
∗∗∗ JSA10990 - 2020-01 Security Bulletin: SBR Carrier: Multiple Vulnerabilities in OpenSSL ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10990&actp=RSS
∗∗∗ JSA10991 - 2020-01 Security Bulletin: SBR Carrier: Multiple Vulnerabilities in Net-SNMP ∗∗∗
---------------------------------------------
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10991&actp=RSS
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 07-01-2020 18:00 − Mittwoch 08-01-2020 18:00
Handler: Robert Waldner
Co-Handler: Dimitri Robl
=====================
= News =
=====================
∗∗∗ Project Zero: Googles Bug-Jäger wollen weniger schludrige Patches ∗∗∗
---------------------------------------------
Im laufenden Jahr wollen Googles Security-Bug-Forscher des Project Zero die Disclosure-Richtlinien ändern. Das soll betroffenen Unternehmen nicht nur Updates erleichtern, sondern vor allem die Qualität der Patches verbessern.
---------------------------------------------
https://www.golem.de/news/project-zero-googles-bug-jaeger-wollen-weniger-sc…
∗∗∗ The Basics of Packed Malware: Manually Unpacking UPX Executables ∗∗∗
---------------------------------------------
In this blog post, I want to discuss what packing is, the basics of why malware developers pack their samples and how they go about doing so. Since this is an introductory post, and I myself am still learning all this stuff, we’re going to be manually unpacking a UPX-packed binary, which is one of the simplest packers out there.
---------------------------------------------
https://kindredsec.com/2020/01/07/the-basics-of-packed-malware-manually-unp…
∗∗∗ Tricky Phish Angles for Persistence, Not Passwords ∗∗∗
---------------------------------------------
The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password.
---------------------------------------------
https://krebsonsecurity.com/2020/01/tricky-phish-angles-for-persistence-not…
∗∗∗ SMS von TrackInfo zu gestopptem DHL-Paket führt in Abo-Falle ∗∗∗
---------------------------------------------
Zahlreiche LeserInnen wenden sich momentan an die Watchlist Internet, weil sie eine SMS von TrackInfo zu einem unzustellbaren Paket erhalten haben. Ein Link in der Nachricht führt auf eine gefälschte DHL-Website. Wegen zu hohen Gewichts müssten nun 2 Euro bezahlt werden. Achtung: Die Nachricht stammt von Kriminellen und soll EmpfängerInnen in eine Abo-Falle locken!
---------------------------------------------
https://www.watchlist-internet.at/news/sms-von-trackinfo-zu-gestopptem-dhl-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Interpeak IPnet TCP/IP Stack (Update D) ∗∗∗
---------------------------------------------
This updated medical advisory is a follow-up to the advisory update titled ICSMA-19-274-01 Interpeak IPnet TCP/IP Stack (Update C) published November 5, 2019, on the ICS webpage on us-cert.gov. This updated medical advisory contains mitigations for stack-based buffer overflow, heap-based buffer overflow, integer underflow, improper restriction of operations within the bounds of a memory buffer, race condition, argument injection, and null pointer dereference vulnerabilities in the Interpeak [...]
---------------------------------------------
https://www.us-cert.gov/ics/advisories/icsma-19-274-01
∗∗∗ PMASA-2020-1 ∗∗∗
---------------------------------------------
SQL injection in user accounts pageAffected VersionsphpMyAdmin 4.x versions prior to 4.9.4 are affected, at least as old as 4.0.0. phpMyAdmin 5.x version 5.0.0 is affected.CVE IDCVE-2020-5504
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2020-1/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (firefox), Debian (python-django and wordpress), Fedora (dovecot), Mageia (opensc, radare2, and varnish), Red Hat (rh-java-common-apache-commons-beanutils), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, java-1_8_0-ibm, java-1_8_0-openjdk, libzypp, openssl-1_0_0, sysstat, and tomcat), and Ubuntu (clamav, linux-azure, and linux-lts-xenial, linux-aws).
---------------------------------------------
https://lwn.net/Articles/808975/
∗∗∗ Fortinet FortiSIEM 5.2.5 / 5.2.6 Hardcoded Key ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2020010061
∗∗∗ Cisco AnyConnect Secure Mobility Client for Android Service Hijack Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Webex Video Mesh Node Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Webex Centers Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Vision Dynamic Signage Director Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco UCS Director Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Mobility Management Entity Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Identity Services Engine Authorization Bypass Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco IOS and Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Finesse Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Emergency Responder Stored Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Data Center Analytics Framework Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Unified Customer Voice Portal Insecure Direct Object Reference Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Crosswork Change Automation Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Security Advisory - Weak Algorithm Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200108-…
∗∗∗ Security Advisory - Information Leak Vulnerability in Some Huawei Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200108-…
∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200108-…
∗∗∗ Security Advisory - Improper Authentication Vulnerability in Several Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200108-…
∗∗∗ January 6, 2020 TNS-2020-01 [R1] SimpleSAMLPHP Stand-alone Patch Available for Tenable.sc versions 5.9.x to 5.12.x ∗∗∗
---------------------------------------------
http://www.tenable.com/security/tns-2020-01-0
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 03-01-2020 18:00 − Dienstag 07-01-2020 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗
---------------------------------------------
Für ein internationales Projekt suchen wir eine/n erfahrene/n Pythonentwickler/in (Vollzeit) zum ehestmöglichen Einstieg. Details finden sich auf unserer Jobs-Seite.
---------------------------------------------
https://cert.at/de/ueber-uns/jobs/
∗∗∗ Fake Windows 10 Desktop Used in New Police Browser Lock Scam ∗∗∗
---------------------------------------------
Scammers have taken an old browser scam and invigorated it using a clever and new tactic that takes advantage of your web browsers full-screen mode to show a fake Windows 10 desktop stating your computer is locked.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-windows-10-desktop-used…
∗∗∗ Android-Schadsoftware: Die Tricks mit der Google-Sicherheitslücke ∗∗∗
---------------------------------------------
Sicherheitsforscher haben Schad-Apps im Play Store gefunden, die über eine Google lange bekannte Android-Sicherheitslücke und weitere Tricks Nutzer ausspionierten. Die im Oktober aktiv ausgenutzte Lücke hatte Google eineinhalb Jahre vorher selbst entdeckt.
---------------------------------------------
https://www.golem.de/news/android-schadsoftware-die-tricks-mit-der-google-s…
∗∗∗ A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability), (Tue, Jan 7th) ∗∗∗
---------------------------------------------
For the last week, I have been monitoring our honeypot logs for evidence of exploits taking advantage of CVE-2019-19781. Currently, I have not seen an actual "exploit" being used. But there is some evidence that people are scanning for vulnerable systems. Based on some of the errors made with these scans, I would not consider them "sophisticated." There is luckily still no public exploit I am aware of.
---------------------------------------------
https://isc.sans.edu/diary/rss/25686
∗∗∗ The Hidden Cost of Ransomware: Wholesale Password Theft ∗∗∗
---------------------------------------------
Moral of the story: Companies that experience a ransomware attack — or for that matter any type of equally invasive malware infestation — should assume that all credentials stored anywhere on the local network (including those saved inside Web browsers and password managers) are compromised and need to be changed.
---------------------------------------------
https://krebsonsecurity.com/2020/01/the-hidden-cost-of-ransomware-wholesale…
∗∗∗ Breaking PHPs mt_rand() with 2 values and no bruteforce ∗∗∗
---------------------------------------------
.. one of our researchers was adamant that it was possible to recover the Mersenne Twister seed using only two outputs of the mt_rand() function, and without any kind of bruteforce. Nevertheless, we were unable to find any information supporting this theory, and his notes on the matter were long lost. After crunching the numbers a little bit, and years after the PRNG-prediction circus, we proved him right.
---------------------------------------------
https://www.ambionics.io/blog/php-mt-rand-prediction
∗∗∗ SSH Client Auditing & Hardening ∗∗∗
---------------------------------------------
Its been known for years now that SSH servers can (and should) be hardened by removing weak default algorithms. For example, recent versions of OpenSSH ship with algorithms suspected suspected of being back-doored by the NSA (i.e.: ECDSA with the NIST P-curves), along with other algorithms with sub-128bit security levels. But did you know that client software can be hardened too?
---------------------------------------------
https://www.positronsecurity.com/blog/2020-01-07-ssh-client-auditing-and-ha…
∗∗∗ SSH Pentesting Guide ∗∗∗
---------------------------------------------
In this guide, I will:
* Quickly introduce the SSH protocol and implementations.
* Expose some common configuration mistakes then showcase some attacks on the protocol & implementations.
* Present some SSH pentesting & blue team tools.
* Give a standard reference for security guidelines
---------------------------------------------
https://community.turgensec.com/ssh-hacking-guide/
∗∗∗ First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust [PDF] ∗∗∗
---------------------------------------------
In this paper, we report the first practical implementation of this attack, and its impact on real-world security with a PGP/GnuPG impersonation attack. We managed to significantly reduce the complexity of collisions attack against SHA-1..
---------------------------------------------
https://eprint.iacr.org/2020/014.pdf
∗∗∗ Jetzt patchen! Ransomware-Attacken auf VPN-Server mit Pulse Connect Secure ∗∗∗
---------------------------------------------
Erneut nehmen Angreifer VPN-Server mit Pulse Connect Secure ins Visier und nutzen eine kritische Sicherheitslücke aus. Ein Patch ist schon länger verfügbar.
---------------------------------------------
https://heise.de/-4629452
∗∗∗ Versteckte Kosten bei Übernachtungsgutscheinen von Geoplus ∗∗∗
---------------------------------------------
Wie zahlreiche InternetnutzerInnen erhalten Sie womöglich E-Mails von Geoplus, in denen Sie zur Teilnahme an einer europäischen Studie eingeladen werden. Dafür verspricht man Ihnen einen Gutschein für bis zu fünf kostenlose Übernachtungen in über 500 Hotels in 14 Ländern. Achtung: Von „kostenlos“ kann nicht die Rede sein, denn beim Einlösen der Gutscheine müssen Sie Zahlung von Pflichtverpflegungssätzen leisten.
---------------------------------------------
https://www.watchlist-internet.at/news/versteckte-kosten-bei-uebernachtungs…
∗∗∗ What is the random oracle model and why should you care? (Part 5) ∗∗∗
---------------------------------------------
This is part five of a series on the Random Oracle Model. See here for the previous posts: Part 1: An introduction Part 2: The ROM formalized, a scheme and a proof sketch Part 3: How we abuse the ROM to make our security proofs work Part 4: Some more examples of where the ROM … Continue reading What is the random oracle model and why should you care? (Part 5) →
---------------------------------------------
https://blog.cryptographyengineering.com/2020/01/05/what-is-the-random-orac…
∗∗∗ Half of the websites using WebAssembly use it for malicious purposes ∗∗∗
---------------------------------------------
In an academic research project that was carried out last year, four researchers from the Technical University in Braunschweig, Germany, looked at WebAssembly's use on the Alexa Top 1 Million popular sites on the internet, in an attempt to gauge the popularity of this new technology.
---------------------------------------------
https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it…
=====================
= Vulnerabilities =
=====================
∗∗∗ Android Security Bulletin—January 2020 ∗∗∗
---------------------------------------------
The most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
---------------------------------------------
https://source.android.com/security/bulletin/2020-01-01.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (netty) and Fedora (libssh, nethack, php, samba, and xen).
---------------------------------------------
https://lwn.net/Articles/808621/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium, cyrus-imapd, drupal7-l10n_update, drupal7-webform, htmldoc, nethack, php, and singularity), Mageia (advancecomp, apache-commons-compress-, cyrus-imapd, cyrus-sasl, dia, freeimage, freeradius, igraph, jhead, jss, libdwarf, libextractor, libxml2, mediawiki, memcached, mozjs60, openconnect, openssl, putty, python-ecdsa, python-werkzeug, shadowsocks-libev, and upx), Oracle (container-tools:1.0 and container-tools:ol8), and Red Hat
---------------------------------------------
https://lwn.net/Articles/808803/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (nss and pillow), Red Hat (java-1.8.0-ibm and kernel), Slackware (firefox), SUSE (virglrenderer), and Ubuntu (linux, linux-aws, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-kvm, linux-oem-osp1, linux-oracle, linux-oracle-5.0, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-kvm, linux-oracle, linux-raspi2, and linux-snapdragon).
---------------------------------------------
https://lwn.net/Articles/808881/
∗∗∗ Security Vulnerabilities fixed in Firefox 72 ∗∗∗
---------------------------------------------
Severity: high
CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
CVE-2019-17017: Type Confusion in XPCVariant.cpp
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/
∗∗∗ Security Bulletin: Multiple Vulnerabilities in Liberty affect IBM WIoTP MessageGateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM MessageSight ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Corporate Payment Services for Multi-Platform ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Financial Transaction Manager for Check Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for Check Services for Multi-Platform ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Financial Transaction Manager for Corporate Payment Services is affected by a potential cross-site scripting (XSS) vulnerability (CVE-2018-15494) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man…
∗∗∗ Security Bulletin: Security Vulnerabilties have been addressed in IBM Cognos Analytics ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilties-h…
∗∗∗ Security Bulletin: Information Exposure vulnerability found on IBM Security Secret Server (CVE-2019-4634) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-information-exposure-vuln…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 02-01-2020 18:00 − Freitag 03-01-2020 18:00
Handler: Robert Waldner
Co-Handler: Dimitri Robl
=====================
= News =
=====================
∗∗∗ Promiscuous Cookies and Their Impending Death via the SameSite Policy ∗∗∗
---------------------------------------------
Cookies like to get around. They have no scruples about where they go save for some basic constraints relating to the origin from which they were set. I mean have a think about it:If a website sets a cookie then you click a link to another page on that [...]
---------------------------------------------
https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-…
∗∗∗ Gefälschte E-Mail zu Amazon-Bestellung ∗∗∗
---------------------------------------------
Kriminelle versenden derzeit E-Mails zu einer angeblichen Amazon-Bestellung. In der Mail wird darauf hingewiesen, dass eine Bestellung von einem bisher nicht benutzten Gerät aus getätigt wurde. Im Anhang findet man ein PDF mit Infos zur angeblichen Bestellung und der Möglichkeit, die Bestellung zu stornieren. Wer das tut, gibt seine Amazon-Zugangsdaten an Kriminelle weiter!
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-e-mail-zu-amazon-bestell…
=====================
= Vulnerabilities =
=====================
∗∗∗ Workaround verfügbar: Kritische Lücke in Citrix ADC und Gateway ∗∗∗
---------------------------------------------
Angreifer könnten Systeme mit Citrix ADC und Gateway attackieren und Schadcode ausführen. Patches sind bislang nicht erschienen.
---------------------------------------------
https://heise.de/-4627525
∗∗∗ Vulnerability Spotlight: Two buffer overflow vulnerabilities in OpenCV ∗∗∗
---------------------------------------------
Cisco Talos recently discovered two buffer overflow vulnerabilities in the OpenCV libraries. An attacker could potentially exploit these bugs to cause heap corruptions and potentially code execution. Intel Research originally developed OpenCV in 1999, but it is currently maintained by the non-profit organization OpenCV.org. OpenCV is used for numerous applications, including facial recognition technology, robotics, motion tracking [...]
---------------------------------------------
https://blog.talosintelligence.com/2020/01/opencv-buffer-overflow-jan-2020.…
∗∗∗ WooCommerce Conversion Tracking < 2.0.6 - CSRF to XSS ∗∗∗
---------------------------------------------
https://wpvulndb.com/vulnerabilities/10001
∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – OpenSSL (CVE-2019-1563, CVE-2019-1549, CVE-2019-1547) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-…
∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to a Kubernetes vulnerability (CVE-ID: CVE-2019-11244) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln…
∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Tivoli Storage Manager FastBack (CVE-2019-2816) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja…
∗∗∗ Security Bulletin: Vulnerabities in SSL in IBM DataPower Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabities-in-ssl-in-i…
∗∗∗ Security Bulletin: IBM DataPower Gateway is potentially vulnerable to two cryptographic side-channel vulnerabilities in SSL. ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-is-…
∗∗∗ Security Bulletin: Potential side-channel cryptographic vulnerabilities in IBM DataPower Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-potential-side-channel-cr…
∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private Cloud Foundry – Python (CVE-2019-9947, CVE-2019-9948) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-…
∗∗∗ Security Bulletin: Potential disclosure of information in IBM DataPower Gateway (CVE-2018-14348) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-potential-disclosure-of-i…
∗∗∗ D-LINK Router: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K20-0002
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 30-12-2019 18:00 − Donnerstag 02-01-2020 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Ransomware in Node.js, (Thu, Jan 2nd) ∗∗∗
---------------------------------------------
Here is a sample that I spotted two days ago. Its an interesting one because its a malware that implements ransomware features developed in Node.js! The stage one is not obfuscated and I suspect the script to be a prototype or a test...
---------------------------------------------
https://isc.sans.edu/diary/rss/25664
∗∗∗ The Anatomy of Website Malware Part 2: Credit Card Stealers ∗∗∗
---------------------------------------------
One of the biggest malicious trends in the last few months and years are credit card stealers — also commonly referred to as credit card skimmers or cc stealers . In the second part of this Website Malware Anatomy series, I’m going to deconstruct several skimmers and show you what they look like, where they are hiding, and how they work.
---------------------------------------------
https://blog.sucuri.net/2019/12/the-anatomy-of-website-malware-part-2-credi…
∗∗∗ Kaufen Sie keine Welpen auf realpuppieshome.com ∗∗∗
---------------------------------------------
Auf realpuppieshome.com werden Ihnen zahlreiche entzückende Zuchtwelpen angezeigt und zur Adoption angeboten. Die aufwendig gestaltete Website täuscht dabei ein seriöses Angebot vor. Doch nehmen Sie sich in Acht: Hier erhalten Sie das gewünschte Hundejunge nie. Stattdessen verlieren Sie Ihr Geld an Kriminelle.
---------------------------------------------
https://www.watchlist-internet.at/news/kaufen-sie-keine-welpen-auf-realpupp…
=====================
= Vulnerabilities =
=====================
∗∗∗ December 30, 2019 TNS-2019-09 [R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities ∗∗∗
---------------------------------------------
Three separate third-party components (OpenSSL, Apache HTTP Server, SimpleSAMLphp) were found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with good practice, Tenable opted to upgrade the bundled libraries to address the potential impact of these issues in Tenable.sc.
---------------------------------------------
http://www.tenable.com/security/tns-2019-09
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (intel-microcode and libbsd), openSUSE (chromium, LibreOffice, and spectre-meltdown-checker), and SUSE (mozilla-nspr, mozilla-nss and python-azure-agent).
---------------------------------------------
https://lwn.net/Articles/808319/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (igraph, jhead, libgcrypt20, otrs2, and waitress) and Mageia (clamaw, exiv2, filezilla, hunspell, libidn2, pdfresurrect, roundcubemail, and xpdf).
---------------------------------------------
https://lwn.net/Articles/808395/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Red Hat (chromium-browser and rh-git218-git) and SUSE (java-1_8_0-ibm and openssl-1_1).
---------------------------------------------
https://lwn.net/Articles/808488/
∗∗∗ Cisco Data Center Network Manager Authentication Bypass Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Data Center Network Manager XML External Entity Read Access Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Data Center Network Manager JBoss EAP Unauthorized Access Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Data Center Network Manager SQL Injection Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Data Center Network Manager Path Traversal Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Cisco Data Center Network Manager Command Injection Vulnerabilities ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Security Advisory - Missing Integrity Checking Vulnerability on Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-…
∗∗∗ Security Advisory - Information Leak Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191030-…
∗∗∗ Security Advisory - Improper Credentials Management Vulnerability in Some Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200102-…
∗∗∗ Security Advisory - Information Leak Vulnerability in Some Huawei Smart Phones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200102-…
∗∗∗ Security Advisory - Denial of Service Vulnerability in Several Smartphones ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200102-…
∗∗∗ Security Advisory - Buffer Error Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200102-…
∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Privileged Identity Manager ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – Swagger UI (CVE-2019-17495) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-…
∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private Kubernetes (CVE-2019-11245) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-…
∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to IBM WebSphere Application Server Liberty vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln…
∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2014-3603) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln…
∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to an IBM WebSphere Application Server Liberty vulnerability (CVE-2019-12402) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln…
∗∗∗ Security Bulletin: A Security Vulnerability affects Cloud Foundry for IBM Cloud Private (CVE-2019-16935) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 27-12-2019 18:00 − Montag 30-12-2019 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Lesser-known Tools for Android Application PenTesting ∗∗∗
---------------------------------------------
Over time, I became familiar with the different tools, popular or not, that helped me in my assessments. In this post, I’ll list down these not-so-popular tools (in my opinion based on the different sources and blogs that I have read where these tools were not mentioned) that I’m using during my engagements.
---------------------------------------------
https://captmeelo.com/pentest/2019/12/30/lesser-known-tools-for-android-pen…
∗∗∗ 36C3: Vertraue keinem Bluetooth-Gerät – schon gar nicht im vernetzten Auto ∗∗∗
---------------------------------------------
Bei Chips zur drahtlosen Datenübertragung etwa via Bluetooth gibt es massive Sicherheitslücken. Bei geteilten Antennen lässt sich etwa WLAN ausknipsen.
---------------------------------------------
https://heise.de/-4624388
=====================
= Vulnerabilities =
=====================
∗∗∗ Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗
---------------------------------------------
Trend Micro AntiVirus ist eine Anti-Viren-Software.
---------------------------------------------
https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2019/12/warn…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by SUSE (dia, kernel, and libgcrypt).
---------------------------------------------
https://lwn.net/Articles/808135/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (debian-lan-config, freeimage, imagemagick, libxml2, mediawiki, openssl1.0, php5, and tomcat8).
---------------------------------------------
https://lwn.net/Articles/808234/
∗∗∗ Intel SPS vulnerability CVE-2019-11109 ∗∗∗
---------------------------------------------
https://support.f5.com/csp/article/K54164678
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 23-12-2019 18:00 − Freitag 27-12-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Timely acquisition of network traffic evidence in the middle of an incident response procedure, (Wed, Dec 25th) ∗∗∗
---------------------------------------------
The acquisition of evidence is one of the procedures that always brings controversy in incident management. We must answer questions such as: [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/25560
∗∗∗ Bypassing UAC to Install a Cryptominer ∗∗∗
---------------------------------------------
First of all, Merry Christmas to all our readers! I hope youre enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and its most interesting feature is the use of a classic technique to bypass UAC[2].
---------------------------------------------
https://isc.sans.edu/forums/diary/Bypassing+UAC+to+Install+a+Cryptominer/25…
∗∗∗ Video: Identitätsdiebstahl mit gefälschten Airbnb-Mails ∗∗∗
---------------------------------------------
Airbnb genießt hohes Vertrauen bei seinen UserInnen. Das versuchen sich auch Kriminelle zu Nutze zu machen. Sie versenden betrügerische Phishing-Mails im Design von Airbnb.
---------------------------------------------
https://www.watchlist-internet.at/news/video-identitaetsdiebstahl-mit-gefae…
∗∗∗ Video: Erpressungs-Mails ∗∗∗
---------------------------------------------
Kriminelle versenden massenhaft Erpressungs-Mails an InternetnutzerInnen. Darin behaupten sie, die EmpfängerInnen der Nachrichten beim Masturbieren gefilmt zu haben. Um zu vermeiden, dass das Video veröffentlicht wird, sollen gewisse Geldbeträge in Form von Bitcoins bezahlt werden.
---------------------------------------------
https://www.watchlist-internet.at/news/video-erpressungs-mails/
=====================
= Vulnerabilities =
=====================
∗∗∗ New Magellan 2.0 SQLite Vulnerabilities Affect Many Programs ∗∗∗
---------------------------------------------
New vulnerabilities in the SQLite database engine affect a wide range of applications that utilize it as a component within their software packages.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-magellan-20-sqlite-vulne…
∗∗∗ AVE DOMINAplus 1.10.x Credentials Disclosure Exploit ∗∗∗
---------------------------------------------
The application suffers from clear-text credentials disclosure vulnerability that allows an unauthenticated attacker to issue a request to an unprotected directory that hosts an XML file /xml/authClients.xml and obtain administrative login information that allows for a successful authentication bypass attack.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php
∗∗∗ AVE DOMINAplus 1.10.x Authentication Bypass Exploit ∗∗∗
---------------------------------------------
DOMINAplus suffers from an authentication bypass vulnerability due to missing control check when directly calling the autologin GET parameter in changeparams.php script. Setting the autologin value to 1 allows an unauthenticated attacker to permanently disable the authentication security control and access the management interface with admin privileges without providing credentials.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5549.php
∗∗∗ AVE DOMINAplus 1.10.x Unauthenticated Remote Reboot ∗∗∗
---------------------------------------------
The application suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php
∗∗∗ AVE DOMINAplus 1.10.x CSRF/XSS Vulnerabilities ∗∗∗
---------------------------------------------
The application suffers from multiple CSRF and XSS vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed to several GET/POST parameters is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script [...]
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php
∗∗∗ Inim Electronics Smartliving SmartLAN/G/SI 6.x Hard-coded Credentials ∗∗∗
---------------------------------------------
The devices utilizes hard-coded credentials within its Linux distribution image. These sets of credentials (Telnet, SSH, FTP) are never exposed to the end-user and cannot be changed through any normal operation of the smart home device. Attacker could exploit this vulnerability by logging in and gain system access.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5546.php
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (freetype, kernel, nss, nss-softokn, nss-util, and thunderbird), Mageia (ghostpcl, libmirage, and spamassassin), Oracle (fribidi), and SUSE (mariadb-100, shibboleth-sp, and slurm).
---------------------------------------------
https://lwn.net/Articles/808090/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, fribidi, nss, nss-softokn, nss-util, openslp, and thunderbird), Debian (opensc), and Mageia (389-ds-base, apache, apache-mod_auth_openidc, kernel, libofx, microcode, php, and ruby).
---------------------------------------------
https://lwn.net/Articles/808119/
∗∗∗ CA Client Automation 14.x Privilege Escalation ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2019120108
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/
∗∗∗ Security Advisory - Insufficient Input Validation Vulnerability in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-…
∗∗∗ Security Advisory - Integer Overflow Vulnerability in the Linux Kernel (SACK Panic) ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-…
∗∗∗ Security Advisory - Multiple Vulnerabilities in the X.509 Implementation in Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-…
∗∗∗ Security Advisory - Missing Integrity Checking Vulnerability on Some Huawei Products ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2019/huawei-sa-20191225-…
∗∗∗ Red Hat Enterprise Linux: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit den Rechten des Dienstes ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-1110
∗∗∗ ImageMagick / GraphicsMagick: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-1117
∗∗∗ D-LINK Router: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-1116
∗∗∗ Nvidia GeForce Experience: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-1114
∗∗∗ Trend Micro Maximum Security: Schwachstelle ermöglicht Denial of Service oder Offenlegung von Informationen ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-1113
∗∗∗ Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K19-1120
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 20-12-2019 18:00 − Montag 23-12-2019 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ FBI Issues Alert For LockerGoga and MegaCortex Ransomware ∗∗∗
---------------------------------------------
The FBI has issued a warning to private industry recipients to provide information and guidance on the LockerGoga and MegaCortex Ransomware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockerg…
∗∗∗ Mozi, Another Botnet Using DHT ∗∗∗
---------------------------------------------
Mozi Botnet relies on the DHT protocol to build a P2P network, and uses ECDSA384 and the xor algorithm to ensure the integrity and security of its components and P2P network. The sample spreads via Telnet with weak passwords and some known exploits
---------------------------------------------
https://blog.netlab.360.com/mozi-another-botnet-using-dht/
∗∗∗ Extracting VBA Macros From .DWG Files, (Sun, Dec 22nd) ∗∗∗
---------------------------------------------
I updated my oledump.py tool to help with the analysis of files that embed OLE files, like AutoCAD's .dwg files with VBA macros.
---------------------------------------------
https://isc.sans.edu/diary/rss/25634
∗∗∗ Leveraging Disk Imaging Tools to Deliver RATs ∗∗∗
---------------------------------------------
This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/leveraging-…
∗∗∗ Looking into Attacks and Techniques Used Against WordPress Sites ∗∗∗
---------------------------------------------
This blog post lists different kinds of attacks against WordPress, by way of payload examples we observed in the wild, and how attacks have used hacked admin access and API, Alfa-Shell deployment, and SEO poisoning to take advantage of vulnerable sites.
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/mjE1ckQKGtA/
∗∗∗ Geknackte Zwei-Faktor-Anmeldung: Warum Software Token keine gute Idee sind ∗∗∗
---------------------------------------------
Eine mutmaßlich chinesische Hackergruppe, deren Angriffe bis 2011 zurückgehen, soll einen neuartigen Angriff auf RSA-Software-Token entdeckt haben.
---------------------------------------------
https://heise.de/-4622748
∗∗∗ Jetzt updaten: Cisco ASA 5500-X Series Firewalls aus der Ferne angreifbar ∗∗∗
---------------------------------------------
Eine bereits seit 2018 bekannte ASA-Schwachstelle wird derzeit möglicherweise aktiv ausgenutzt.
---------------------------------------------
https://heise.de/-4621541
∗∗∗ Vorsicht vor GMX-Phishing-Mails ∗∗∗
---------------------------------------------
Zahlreiche LeserInnen melden uns momentan gefährliche Phishing-Mails, mit denen Kriminelle versuchen, an GMX-Konten zu gelangen. GMX-UserInnen müssen sich daher in Acht nehmen, wenn sie plötzlich wegen einer angeblichen Kontosperre, zu einem Login aufgefordert werden. Die Daten und E-Mail-Konten landen in den Händen Krimineller und können für Verbrechen unter fremder Identität genützt werden!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-gmx-phishing-mails/
∗∗∗ War Never Changes: Attacks Against WPA3’s Enhanced Open — Part 2: Understanding OWE ∗∗∗
---------------------------------------------
https://posts.specterops.io/war-never-changes-attacks-against-wpa3s-enhance…
=====================
= Vulnerabilities =
=====================
∗∗∗ Patch now: Published Citrix applications leave networks of potentially 80,000 firms at risk from attackers ∗∗∗
---------------------------------------------
Unauthorised users able to perform arbitrary code execution A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access.
---------------------------------------------
https://go.theregister.co.uk/feed/www.theregister.co.uk/2019/12/23/patch_no…
∗∗∗ Sicherheitslücke in Twitter-App für Android ∗∗∗
---------------------------------------------
Über eine Sicherheitslücke in der Twitter-App für Android lässt sich bösartiger Code einschleusen, der private Daten auslesen kann. Ein Update steht bereit.
---------------------------------------------
https://heise.de/-4621735
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cups, cyrus-sasl2, tightvnc, and x2goclient), Fedora (cacti and cacti-spine), openSUSE (mariadb and samba), Oracle (fribidi, git, and python), Red Hat (fribidi, libyang, and qemu-kvm-rhev), Slackware (openssl and tigervnc), and SUSE (firefox, nspr, nss and kernel).
---------------------------------------------
https://lwn.net/Articles/808026/
∗∗∗ Synology-SA-19:43 Drupal ∗∗∗
---------------------------------------------
A vulnerability allows remote authenticated users to upload arbitrary files via a susceptible version of Drupal.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_19_43
∗∗∗ F5 Security Advisories ∗∗∗
---------------------------------------------
https://support.f5.com/csp/new-updated-articles
∗∗∗ Security Bulletin: Multiple Vulnerabilities in libpng affects IBM Watson Studio Local ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Input Validation Vulnerability in Watson Studio Local ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-input-validation-vulnerab…
∗∗∗ Security Bulletin: Multiple Vulnerabilities In Redis affects Watson Studio Local (CVE-2018-12453, CVE-2018-12326, CVE-2018-11218) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: JWT Token Check Vulnerability in Watson Studio Local ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-jwt-token-check-vulnerabi…
∗∗∗ Security Bulletin: Multiple Vulnerabilities in Kubernetes affects IBM Watson Studio Local ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Watson Studio Local Key Storage Vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-watson-studio-local-key-s…
∗∗∗ Security Bulletin: Multiple Vulnerabilities in GNU binutils affects IBM Watson Studio Local ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Multiple Vulnerabilities in GNU Binutils affects Watson Studio Local ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Internal SSL Communication Vulerability in Watson Studio Local (PSIRT-ADV0011800) ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-internal-ssl-communicatio…
∗∗∗ Security Bulletin: Multiple Vulnerabilities in OpenSSL affects IBM Watson Studio Local ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-…
∗∗∗ Security Bulletin: Vulnerabilities in Samba affects IBM Watson Studio Local ∗∗∗
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-samba-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily