Daily

daily@lists.cert.at

1 participants
3154 discussions

Tageszusammenfassung - 09.04.2018
by Daily end-of-shift report 09 Apr '18

09 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-04-2018 18:00 − Montag 09-04-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ARP Spoofing in 2018: are you protected?, (Mon, Apr 9th) ∗∗∗ --------------------------------------------- This week I was reminded how efficient ARP (Address Resolution Protocol) spoofing attacks might be. A single Android device equipped with offensive tools was enough to fool any device on a network and capture sensitive data. But wait, we are talking about a threat as old as ARP specification from 1982. There arent vulnerable networks to this nowadays, right? Wrong. --------------------------------------------- https://isc.sans.edu/diary/rss/23533 ∗∗∗ Hacked Website Trend Report – 2017 ∗∗∗ --------------------------------------------- We are proud to be releasing our latest Hacked Website Trend Report for 2017. This report is based on data collected and analyzed by the Sucuri Remediation Group (RG), which includes the Incident Response Team (IRT) and the Malware Research Team (MRT). The data presented stems from the analysis of 34,371 infected websites summarizing the latest trends by bad actors. --------------------------------------------- https://blog.sucuri.net/2018/04/hacked-website-trend-report-2017.html ∗∗∗ The dots do matter: how to scam a Gmail user ∗∗∗ --------------------------------------------- I recently received an email from Netflix which nearly caused caused me to add my card details to someone else’s Netflix account. Here I show that this is a new kind of phishing scam which is enabled by an obscure feature of Gmail called “the dots don’t matter”. I then argue that the dots do matter, and that this Gmail feature is in fact a misfeature. --------------------------------------------- https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-… ∗∗∗ Event Log Auditing, Demystified ∗∗∗ --------------------------------------------- the topic of reviewing event logs has received a fair amount grunts, groans, and questions such as “You honestly expect us to review all of that data?!” or “We have so many systems! Where would we even begin?” or “We already have enough on our plate to worry about!”. Fortunately, the times have changed, and log aggregation has matured over a relatively short amount of time. Its existence alone however is not the complete answer to log auditing woes. --------------------------------------------- https://medium.com/@jeremy.trinka/event-log-auditing-demystified-75b55879f0… ∗∗∗ How to prevent bypassing AppLocker using Alternate Data Streams ∗∗∗ --------------------------------------------- I usually write my blog-posts in german. This one is in english, because Sami Laiho asked me to do a short write-up, to make this problem available to a broader audience. Who is affected and what’s the problem? If you are using AppLocker Application-Whitelisting using Path-Rules with Exceptions you are probably affected. --------------------------------------------- https://hitco.at/blog/howto-prevent-bypassing-applocker-using-alternate-dat… ∗∗∗ Nicht bestellen bei salewaz.top! ∗∗∗ --------------------------------------------- Auf der Website salewaz.top findet man Kleidung und Sportausrüstung der bekannten Marke Salewa. Die Preise der Angebote sind um vieles niedriger als üblich für Salewa-Produkte, weshalb ein Kauf auf den ersten Blick attraktiv erscheint. KonsumentInnen sollten in diesem Shop auf keinen Fall bestellen, denn es handelt sich um betrügerische Anbieter und es wird trotz Bezahlung keine Ware verschickt. --------------------------------------------- https://www.watchlist-internet.at/news/nicht-bestellen-bei-salewaztop/ ===================== = Vulnerabilities = ===================== ∗∗∗ Bugtraq: [RT-SA-2017-015] CyberArk Password Vault Memory Disclosure ∗∗∗ --------------------------------------------- Data in the CyberArk Password Vault may be accessed through a proprietary network protocol. While answering to a client's logon request, the vault discloses around 50 bytes of its memory to the client. --------------------------------------------- http://www.securityfocus.com/archive/1/541931 ∗∗∗ Bugtraq: [RT-SA-2017-014] CyberArk Password Vault Web Access Remote Code Execution ∗∗∗ --------------------------------------------- The CyberArk Password Vault Web Access application uses authentication tokens which consist of serialized .NET objects. By crafting manipulated tokens, attackers are able to gain unauthenticated remote code execution on the web server. --------------------------------------------- http://www.securityfocus.com/archive/1/541932 ∗∗∗ Authentication Bypass Vulnerability Found in Auth0 Identity Platform ∗∗∗ --------------------------------------------- A critical authentication bypass vulnerability has been discovered in one of the biggest identity-as-a-service platform Auth0 that could have allowed a malicious attacker to access any portal or application, which are using Auth0 service for authentication. Auth0 offers token-based authentication solutions for a number of platforms including the ability to integrate social media ... --------------------------------------------- https://thehackernews.com/2018/04/auth0-authentication-bypass.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (openssl and zziplib), Debian (ldap-account-manager, ming, python-crypto, sam2p, sdl-image1.2, and squirrelmail), Fedora (bchunk, koji, libidn, librelp, nodejs, and php), Gentoo (curl, dhcp, libvirt, mailx, poppler, qemu, and spice-vdagent), Mageia (389-ds-base, aubio, cfitsio, libvncserver, nmap, and ntp), openSUSE (GraphicsMagick, ImageMagick, spice-gtk, and wireshark), Oracle (kubernetes), Slackware (patch), and SUSE (apache2 and openssl). --------------------------------------------- https://lwn.net/Articles/751346/ ∗∗∗ The BIG-IP DNS/GTM system may be exposed to DNS hijacking when the BIG-IP system host name belongs to a public domain name that the BIG-IP owner does not control ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32518458 ∗∗∗ Cisco IOS and IOS XE Software Smart Install Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Notice - Statement on the Media Disclosure of the Security Vulnerabilities in the Intel CPU Architecture Design ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2018/huawei-sn-20180104-01-… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in Samba affect IBM i ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=nas8N1022524 ∗∗∗ IBM Security Bulletin: Vulnerability in sendmail impacts AIX (CVE-2014-3956) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027341 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2018
by Daily end-of-shift report 06 Apr '18

06 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-04-2018 18:00 − Freitag 06-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Remote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now ∗∗∗ --------------------------------------------- Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of which is a critical remote code execution flaw that could allow remote attackers to execute arbitrary code against applications built with it. Spring Framework is a popular, lightweight and an open source framework for developing Java-based enterprise applications. In an [...] --------------------------------------------- https://thehackernews.com/2018/04/spring-framework-hacking.html ∗∗∗ Sicherheitsforscher finden 1,5 Milliarden sensible Daten ∗∗∗ --------------------------------------------- Forscher des IT-Sicherheitsanbieters Digital Shadows haben eigenen Angaben zufolge weltweit rund 1,5 Milliarden Datensätze in falsch konfigurierten und daher frei zugänglichen Online-Speichern gefunden. Darunter befinden sich sensible Informationen wie medizinische Daten, Gehaltsabrechnungen oder Patente. --------------------------------------------- https://www.bsi.bund.de/DE/Presse/Kurzmeldungen/Meldungen/news_forscher_fin… ∗∗∗ From PNG tEXt to Persistent XSS ∗∗∗ --------------------------------------------- I was on job for a client and was playing around with various endpoints they have for uploading files. They're really strict on several things and will only accept files with a .PNG extension. In one place, however, you were able to upload files with a .html extension ... score. Well, not really. You're allowed to upload [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/from-png-text-to-persistent-x… ∗∗∗ Warnung vor sportspoort.de ∗∗∗ --------------------------------------------- Der Online-Shop sportspoort.de verkauft günstige Adidas-Schuhe. Es handelt sich um gefälschte Markenware. Konsument/innen können sie ausschließlich über eine unsichere Verbindung mit ihrer Kreditkarte bezahlen. Die Watchlist Internet rät von einem Einkauf auf sportspoort.de ab, denn der Anbieter ist kriminell. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-sportspoortde/ ===================== = Vulnerabilities = ===================== ∗∗∗ Rockwell Automation MicroLogix ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper authentication vulnerability in the Rockwell MicroLogix Controller. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-095-01 ∗∗∗ Moxa MXview ∗∗∗ --------------------------------------------- This advisory includes mitigations for an information exposure vulnerability in the Moxa MXview network management software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-095-02 ∗∗∗ LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper check or handling of exceptional conditions vulnerability in LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME LAquis SCADA device. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-095-03 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sharutils), Fedora (firefox, httpd, and mod_http2), openSUSE (docker-distribution, graphite2, libidn, and postgresql94), Oracle (libvorbis and thunderbird), Red Hat (libvorbis, python-paramiko, and thunderbird), Scientific Linux (libvorbis and thunderbird), SUSE (apache2), and Ubuntu (firefox, linux-lts-xenial, linux-aws, and ruby1.9.1, ruby2.0, ruby2.3). --------------------------------------------- https://lwn.net/Articles/751146/ ∗∗∗ [local] Sophos Endpoint Protection 10.7 - Tamper-Protection Bypass ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/44410/ ∗∗∗ [local] Sophos Endpoint Protection Control Panel 10.7 - Weak Password Encryption ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/44411/ ∗∗∗ IBM Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1483) ∗∗∗ --------------------------------------------- https://www-01.ibm.com/support/docview.wss?uid=swg22015317 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos TM1 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015269 ∗∗∗ IBM Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Insight ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015268 ∗∗∗ IBM Security Bulletin: Vulnerability in Apache commons-fileupload affects IBM Algo One Algo Risk Application (ARA) CVE-2016-1000031 ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015340 ∗∗∗ Intel SPI Flash Unsafe Opcodes Lets Local Users Cause Denial of Service Conditions ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040626 ∗∗∗ [R1] SecurityCenter 5.6.2.1 Fixes One Third-party Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-03 ∗∗∗ The BIG-IP ASM CSRF token may fail to renew when the original web server renews its session ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K70517410 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2018
by Daily end-of-shift report 05 Apr '18

05 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-04-2018 18:00 − Donnerstag 05-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Intel Tells Users to Uninstall Remote Keyboard App Over Unpatched Security Bugs ∗∗∗ --------------------------------------------- Intel has decided that instead of fixing three security bugs affecting the Intel Remote Keyboard Android app, it would be easier to discontinue the application altogether. --------------------------------------------- https://www.bleepingcomputer.com/news/security/intel-tells-users-to-uninsta… ∗∗∗ Natus Neuroworks: Sicherheitslücken in Gehirnscan-Software entdeckt ∗∗∗ --------------------------------------------- Der Scan der Hirnaktivitäten ist nicht gefährdet, das Krankenhaus aber schon: Sicherheitsexperten haben Schwachstellen in der Software von EEG-Geräten gefunden, die es ermöglichen, Code auf dem Gerät auszuführen und sich Zugriff auf das Krankenhausnetz zu verschaffen. (Security, Cisco) --------------------------------------------- https://www.golem.de/news/natus-neuroworks-sicherheitsluecken-in-gehirnscan… ∗∗∗ Apples Dateisystem: APFS-Probleme bleiben bestehen ∗∗∗ --------------------------------------------- Nach dem letzten Problem rund um die Klartextspeicherung von Passwörtern zu verschlüsselten APFS-Datenträgern stellt sich nach weiteren Untersuchungen heraus, dass die Passwörter mit 10.13.4 weiter lesbar sind. Die Passwörter verbleiben auch nach dem Patch in den Logs. (APFS, Apple) --------------------------------------------- https://www.golem.de/news/apples-dateisystem-apfs-probleme-bleiben-bestehen… ∗∗∗ Understanding Code Signing Abuse in Malware Campaigns ∗∗∗ --------------------------------------------- Using a machine learning system, we analyzed 3 million software downloads, involving hundreds of thousands of internet-connected machines, and provide insights in this three-part blog series. In the first part of this series, we took a closer look at unpopular software downloads and the risks they pose to organizations. We also briefly mentioned the problem regarding code signing abuse, which we will elaborate on in this post. --------------------------------------------- https://blog.trendmicro.com/trendlabs-security-intelligence/understanding-c… ∗∗∗ Critical Infrastructure at Risk: Advanced Actors Target Smart Install Client ∗∗∗ --------------------------------------------- Cisco has recently become aware of specific advanced actors targeting Cisco switches by leveraging a protocol misuse issue in the Cisco Smart Install Client. Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol. Some of these attacks are believed to be associated with nation-state actors, such as those described in U.S. CERTs recent alert. --------------------------------------------- http://blog.talosintelligence.com/2018/04/critical-infrastructure-at-risk.h… ∗∗∗ Keine 358.80 Euro an toxflix.de und ähnliche Streaming-Plattformen zahlen! ∗∗∗ --------------------------------------------- Die CINE STAR LTD ist laut Impressum verantwortlich für Streaming-Webseiten wie toxflix.de, roxflix.de oder laflix.de. Auf den Seiten werden Filme zum Streamen angeboten, vorab ist aber eine Registrierung durch die InteressentInnen notwendig. Die Anmeldung führt nach Ablauf einer 5-Tagesfrist zum Abschluss einer Premium-Mitgliedschaft und Forderungen in der Höhe von 358,80 Euro im Jahr. Der Betrag muss nicht bezahlt werden, denn ein gültiger Vertrag kommt nie zustande! --------------------------------------------- https://www.watchlist-internet.at/news/keine-35880-euro-an-toxflixde-und-ae… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (drupal), Debian (openjdk-7), Fedora (exempi, gd, and tomcat), SUSE (python-paramiko), and Ubuntu (kernel, libvncserver, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-lts-trusty, and linux-raspi2). --------------------------------------------- https://lwn.net/Articles/751026/ ∗∗∗ Vuln: Atlassian Bamboo CVE-2018-5224 Remote Security Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/103653 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Guardium Data Redaction ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22013308 ∗∗∗ IBM Security Bulletin: A vulnerability in Open Source Bind affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014266 ∗∗∗ IBM Security Bulletin: Potential spoofing attack in Liberty for Java for IBM Cloud (CVE-2017-1788) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015292 ∗∗∗ IBM Security Bulletin: A security vulnerability has been identified in IBM HTTP Server used by IBM WebSphere Application Server which is shipped with IBM PureApplication System (CVE-2017-12618) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22011238 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in Oracle Java SE affect IBM Spectrum Protect™ Plus ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014937 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK that affect IBM PureApplication System ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015284 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Rational Synergy ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015161 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center and Client Management Service (CVE-2017-10295, CVE-2017-10355, CVE-2017-10356) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013492 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect the IBM Spectrum Protect Server (CVE-2017-10295, CVE-2017-10355) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22013493 ∗∗∗ IBM Security Bulletin: Potential Privilege Escalation and Information disclosure affect IBM WebSphere Application Server in IBM Cloud (CVE-2017-1731, CVE-2017-1741) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014721 ∗∗∗ IBM Security Bulletin: IBM Distributed Marketing Could Allow an Authenticated but Unauthorized User with Special Access to Change Security Policies (CVE-2017-1109) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015044 ∗∗∗ IBM Security Bulletin: IBM SPSS Statistics is affected by multiple GSKit vulnerabilities ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015252 ∗∗∗ IBM Security Bulletin: XML External Entity Injection (XXE) Vulnerability Impacts IBM Campaign (CVE-2015-0254) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015263 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Financial Transaction Manager for ACH Services, Financial Transaction Manager for Check Services, and Financial Transaction Manager for Corporate Payment Services for ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014821 ∗∗∗ IBM Security Bulletin: Denial of Service in Apache CXF used by Liberty for Java for IBM Cloud (CVE-2017-12624) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22015296 ∗∗∗ IBM Security Bulletin: Information Disclosure in IBM HTTP Server and Denial of Service in Apache CXF used by IBM WebSphere Application Server for IBM Cloud (CVE-2017-12613, CVE-2017-12624) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015297 ∗∗∗ FreeBSD IPsec AH Option Header Infinite Loop Lets Remote Users Cause the Target System to Crash ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040628 ∗∗∗ HPE integrated Lights Out (iLO) TLS Diffie-Hellman Export Cipher Downgrade Attack Lets Remote Users Decrypt Connections ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040630 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2018
by Daily end-of-shift report 04 Apr '18

04 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-04-2018 18:00 − Mittwoch 04-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Intel Admits It Wont Be Possible to Fix Spectre (V2) Flaw in Some Processors ∗∗∗ --------------------------------------------- As speculated by the researcher who disclosed Meltdown and Spectre flaws in Intel processors, some of the Intel processors will not receive patches for the Spectre (variant 2) side-channel analysis attack In a recent microcode revision guidance (PDF), Intel admits that it would not be possible to address the Spectre design flaw in its specific old CPUs, because it requires changes to the --------------------------------------------- https://thehackernews.com/2018/04/intel-spectre-vulnerability.html ∗∗∗ Pocket cryptofarms - Investigating mobile apps for hidden mining ∗∗∗ --------------------------------------------- We've noticed that attackers no longer limit themselves to servers, desktops, and laptops. They are increasingly drawn to mobile devices, mainly Android. We decided to take a closer look to see which mobile apps stealthily mine digital coins on user devices and how widespread they are. --------------------------------------------- https://securelist.com/pocket-cryptofarms/85137/ ∗∗∗ BSI warnt vor Sicherheitslücken in iTunes für Windows ∗∗∗ --------------------------------------------- Apples Medienverwaltung enthält mehrere kritische Fehler – nicht nur in der enthaltenen Browser-Engine WebKit. Sicherheits-Bugs stecken auch in der iCloud-Unterstützung für Windows. --------------------------------------------- https://heise.de/-4010622 ∗∗∗ Nvidia patcht mehrere Lücken in GPU-Treibern ∗∗∗ --------------------------------------------- Lücken in mehreren Nvidia-Grafikkartentreibern können unter anderem für die Code-Ausführung aus der Ferne missbraucht werden. Gepatchte Versionen stehen zum Download bereit. --------------------------------------------- https://www.heise.de/-4010707 ∗∗∗ LockCrypt ransomware: weakness in code can lead to recovery ∗∗∗ --------------------------------------------- A lesser-known variant called LockCrypt ransomware has been creeping around under the radar since June 2017. We take a look inside its code and expose its flaws. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2018/04/lockcrypt-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Malware Protection Engine: Sicherheitsupdate behebt kritische Schwachstelle ∗∗∗ --------------------------------------------- Am 03.04.18 hat Microsoft ein Update zur Behebung des kritischen Fehlers CVE-2018-0986 in der hauseigenen Antiviren-Software (Microsoft Malware Protection Engine) benutzt in zum Beispiel Windows Defender, Microsoft Security Essentials, Microsoft Intune Endpoint, Microsoft Forefront Endpoint 2010 sowie in Exchange Server 2013 und 2016 unter den Systemen Windows 7 bis Windows 10 beziehungsweise [...] --------------------------------------------- http://www.cert.at/services/blog/20180404151337-2161.html ∗∗∗ Siemens Building Technologies Products ∗∗∗ --------------------------------------------- This advisory includes mitigations for a series of vulnerabilities in Siemens Building Technologies Products, including stack-based buffer overflows, security features, improper restriction of operations within the bounds of a memory buffer, NULL pointer deference, XML entity expansion, heap-based buffer overflow, and improper access control. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-093-01 ∗∗∗ USN-3618-1: LibVNCServer vulnerability ∗∗∗ --------------------------------------------- LibVNCServer could be made to crash, expose sensitive information, or run programs if it received specially crafted network traffic. [...] It was discovered that LibVNCServer incorrectly handled certain packetlengths. A remote attacker able to connect to a LibVNCServer could possiblyuse this issue [...] --------------------------------------------- https://usn.ubuntu.com/3618-1/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, ldap-account-manager, and openjdk-7), Fedora (libuv and nodejs), Gentoo (glibc and libxslt), Mageia (acpica-tools, openssl, and php), SUSE (clamav, coreutils, and libvirt), and Ubuntu (kernel, libraw, linux-hwe, linux-gcp, linux-oem, and python-crypto). --------------------------------------------- https://lwn.net/Articles/750902/ ∗∗∗ IBM Security Bulletin: This Power Hardware Management Console (HMC) update is being released to address Common Vulnerabilities and Exposures issue numbers CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754 (known as Spectre and Meltdown). ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=nas8N1022442 ∗∗∗ Cacti Input Validation Flaw in get_current_page() Lets Remote Users Conduct Cross-Site Scripting Attacks ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040620 ∗∗∗ WordPress 4.9.5 Security and Maintenance Release ∗∗∗ --------------------------------------------- https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2018
by Daily end-of-shift report 03 Apr '18

03 Apr '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-03-2018 18:00 − Dienstag 03-04-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Java Deserialization Attack Against Windows, (Tue, Apr 3rd) ∗∗∗ --------------------------------------------- Recently we talked a lot about attacks exploiting Java deserialization vulnerabilties in systems like Apache SOLR and WebLogic. Most of these attacks targeted Linux/Unix systems. But recently, I am seeing more attacks that target windows. For example: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/23513 ∗∗∗ Sicherheitslücke in Apple Mail erlaubte Mitlesen verschlüsselter Nachrichten ∗∗∗ --------------------------------------------- Mit macOS 10.13.4 behebt der Mac-Hersteller einen Bug, über den Angreifer im lokalen Netz an Inhalte von mit S/MIME gesicherter Post gelangen konnten. Ob frühere Betriebssysteme weiterhin betroffen sind, bleibt unklar. --------------------------------------------- https://heise.de/-4009761 ∗∗∗ Fake-Profile sammeln auf Facebook Telefonnummern ∗∗∗ --------------------------------------------- Kriminelle erstellen auf Facebook Fake-Profile und geben sich so als Freund oder Freundin möglicher Opfer aus. Anschließend versuchen sie an die Telefonnummer der Betroffenen zu kommen, um Einkäufe über deren Mobilfunkrechnung tätigen zu können. Wer in die Falle tappt, verliert sein Geld. --------------------------------------------- https://www.watchlist-internet.at/news/fake-profile-sammeln-auf-facebook-te… ∗∗∗ iPhone X-Gewinnspiel kostet 89 Euro im Monat ∗∗∗ --------------------------------------------- Für die Teilnahme an einem iPhone X-Gewinnspiel auf braingamemasters.com sollen Konsumenten monatlich 89 Euro bezahlen. Der Betrag wird für eine Mitgliedschaft für das Spiel Trainyourbrainskils in Rechnung gestellt. Konsumenten müssen den Betrag nicht bezahlen, denn dafür gibt es keinen Rechtsgrund. --------------------------------------------- https://www.watchlist-internet.at/news/iphone-x-gewinnspiel-kostet-89-euro-… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Moxa AWK-3131A Multiple Features Login Username Parameter OS Command Injection Vulnerability ∗∗∗ --------------------------------------------- This vulnerability is discovered by Patrick DeSantis and Dave McDaniel of Cisco TalosToday, Talos is disclosing TALOS-2017-0507 (CVE-2017-14459), a vulnerability that has been identified in Moxa AWK-3131A industrial wireless access point. --------------------------------------------- http://blog.talosintelligence.com/2018/04/vulnerability-spotlight-moxa-awk-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot, irssi, libevt, libvncserver, mercurial, mosquitto, openssl, python-django, remctl, rubygems, and zsh), Fedora (acpica-tools, dovecot, firefox, ImageMagick, mariadb, mosquitto, openssl, python-paramiko, rubygem-rmagick, and thunderbird), Mageia (flash-player-plugin and squirrelmail), Slackware (php), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/750759/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (beep and jruby), Fedora (libvncserver), and Ubuntu (openjdk-7 and openjdk-8). --------------------------------------------- https://lwn.net/Articles/750829/ ∗∗∗ 21 IBM Security Advisories 2018-04-03 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ [webapps] osCommerce 2.3.4.1 - Remote Code Execution ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/44374/?rss ∗∗∗ Security Advisory - Multiple Buffer Overflow Vulnerabilities in Bastet of Huawei Smart Phone ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170405-… ∗∗∗ Security Advisory - MITM Vulnerability in Huawei Themes App in Some Mobile Phones ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170908-… ∗∗∗ Security Advisory - CPU Vulnerabilities Meltdown and Spectre ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180106-… ∗∗∗ Android Security Bulletin - April 2018 ∗∗∗ --------------------------------------------- https://source.android.com/security/bulletin/2018-04-01.html ∗∗∗ Linux kernel vulnerability CVE-2017-17448 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01043241 ∗∗∗ Apache Commons FileUpload vulnerability CVE-2016-1000031 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K25206238 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2018
by Daily end-of-shift report 30 Mar '18

30 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-03-2018 18:00 − Freitag 30-03-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 10 Steps to Avoid Insecure Deserialization ∗∗∗ --------------------------------------------- You might think that your applications are secure and safe from prying eyes, but hackers are using ever more sophisticated methods to capture your user data over the Internet. We will explore some of the most common insecure deserialization methods that have been uncovered recently, and look at 10 steps that can be implemented [...] --------------------------------------------- http://resources.infosecinstitute.com/10-steps-avoid-insecure-deserializati… ∗∗∗ How to Identify and Mitigate XXE Vulnerabilities ∗∗∗ --------------------------------------------- Security vulnerabilities that are created through the serialization of sensitive data are well known, yet some developers are still falling into this trap. We will look at some basic web application safeguards that you can employ to keep your applications hardened against this growing threat. To help understand this growing problem, we will turn [...] --------------------------------------------- http://resources.infosecinstitute.com/identify-mitigate-xxe-vulnerabilities/ ∗∗∗ ENISA publishes the first comprehensive study on cyber Threat Intelligence Platforms ∗∗∗ --------------------------------------------- ENISA has released the first comprehensive study on cyber Threat Intelligence Platforms (TIPs) focused on the needs of consumers, users, developers, vendors and the security research community. --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-first-study-on-… ===================== = Vulnerabilities = ===================== ∗∗∗ Philips iSite/IntelliSpace PACS Vulnerabilities ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for vulnerabilities identified in the Philips Philips iSite and IntelliSpace PACS. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-088-01 ∗∗∗ WAGO 750 Series ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper resource shutdown or release vulnerability in the WAGO 750 series PLC. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-088-01 ∗∗∗ Siemens TIM 1531 IRC ∗∗∗ --------------------------------------------- This advisory includes mitigations for an incorrect implementation of authentication algorithm vulnerability in the Siemens TIM 1531 IRC communications modules. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-088-02 ∗∗∗ Siemens SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional, and SIMATIC NET PC Software ∗∗∗ --------------------------------------------- This advisory includes mitigations for an improper input validation vulnerability in the Siemens SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional, and SIMATIC NET PC Software. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-088-03 ∗∗∗ Apple Releases Multiple Security Updates ∗∗∗ --------------------------------------------- Original release date: March 29, 2018 Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.NCCIC/US-CERT encourages users and administrators to review Apple security pages for the following products and apply the necessary updates:iOS 11.3, tvOS 11.3, watchOS 4.3, Xcode 9.3 [...] --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/03/29/Apple-Releases-Mul… ∗∗∗ Kritische Sicherheitslücke in Microsoft Windows - Patch verfügbar ∗∗∗ --------------------------------------------- Microsoft hat ein Security Advisory sowie ein Sicherheitsupdate dazu ausserhalb des normalen Patch-Zyklus veröffentlicht. Der Bug ermöglicht einem Angreifer durch eine Privilege Escalation beliebigen Code mit Kernel Rechten auszuführen. CVE: CVE-2018-1038 Details: Durch Ausnutzen der Lücke kann ein Angreifer höhere Rechte auf betroffenen Systemen erlangen, und [...] --------------------------------------------- http://www.cert.at/warnings/all/20180330.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (memcached, openssl, openssl1.0, php5, thunderbird, and xerces-c), Fedora (python-notebook, slf4j, and unboundid-ldapsdk), Mageia (kernel, libvirt, mailman, and net-snmp), openSUSE (aubio, cacti, cacti-spine, firefox, krb5, LibVNCServer, links, memcached, and tomcat), Slackware (ruby), SUSE (kernel and python-paramiko), and Ubuntu (intel-microcode). --------------------------------------------- https://lwn.net/Articles/750573/ ∗∗∗ IBM Security Bulletin: IBM Web Experience Factory is Affected by an Apache Poi Vulnerability ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014912 ∗∗∗ IBM Security Bulletin: IBM Aspera Platform On Demand, IBM Aspera Server On Demand, IBM Aspera Faspex On Demand, IBM Aspera Shares On Demand, IBM Aspera Transfer Cluster Manager is affected by the vulnerabilities known as Spectre and Meltdown. ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22012643 ∗∗∗ IBM Security Bulletin: Potential spoofing attack in IBM WebSphere Application Server in IBM Cloud (CVE-2017-1788) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014798 ∗∗∗ IBM Security Bulletin: IBM MobileFirst Platform Foundation is vulnerable to cross-site scripting (CVE-2017-1772) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg2C1000369 ∗∗∗ IBM Security Bulletin: OpenSource Apache ActiveMQ vulnerabilities identified with IBM Tivoli Integrated Portal (TIP) v2.2 ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014179 Next End-of-Day report: 2018-04-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2018
by Daily end-of-shift report 29 Mar '18

29 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-03-2018 18:00 − Donnerstag 29-03-2018 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Total Meltdown? ∗∗∗ --------------------------------------------- Did you think Meltdown was bad? Unprivileged applications being able to read kernel memory at speeds possibly as high as megabytes per second was not a good thing. Meet the Windows 7 Meltdown patch from January. It stopped Meltdown but opened up a vulnerability way worse [...] --------------------------------------------- https://blog.frizk.net/2018/03/total-meltdown.html ∗∗∗ Warnung vor Travel Planet Amsterdam ∗∗∗ --------------------------------------------- Urlauber/innen finden auf Travel Planet Amsterdam (travelplanetamsterdam.com) günstige Unterkünfte. Sie sind von fremden Websites kopiert und in Wahrheit nicht bei dem Anbieter buchbar. Die Unterkünfte sollen Reisende vorab bezahlen. Das Geld ist verloren, denn Travel Planet Amsterdam ist ein betrügerischer Anbieter, der keine Leistung erbringt. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-vor-travel-planet-amsterdam/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Angreifer könnten Firefox und Tor Browser lahmlegen ∗∗∗ --------------------------------------------- Die Entwickler haben die Lücke in Firefox 59.0.2, Firefox ESR 52.7.3 und Tor Browser 7.5.3 geschlossen. Alle vorigen Ausgaben sind bedroht. Angriffe sollen aus der Ferne ohne Authentifizierung möglich sein. Das von der Schwachstelle ausgehende Risiko gilt als "hoch". --------------------------------------------- https://heise.de/-4007839 ∗∗∗ Citrix XenServer 7.2 Multiple Security Updates ∗∗∗ --------------------------------------------- A number of security issues have been identified within Citrix XenServer 7.2 which could, if exploited, allow a malicious man-in-the-middle (MiTM) attacker on the management network to decrypt management traffic. Collectively, this has been rated as a medium severity vulnerability; the following issues have been remediated: CVE-2016-2107 CVE-2016-2108 --------------------------------------------- https://support.citrix.com/article/CTX233832 ∗∗∗ Sicherheitslücken (teils kritisch) in Cisco IOS, Cisco IOS XE und Cisco IOS XR Software - Patches verfügbar ∗∗∗ --------------------------------------------- Sicherheitslücken (teils kritisch) in Cisco IOS, Cisco IOS XE und Cisco IOS XR Software - Patches verfügbar 29. März 2018 Beschreibung Cisco hat 20 Security Advisories zu teils kritischen Sicherheitslücken in Cisco IOS, Cisco IOS XE und Cisco IOS XR Software veröffentlicht. Drei der Schwachstellen werden mit einem CVSS Base Score von 9.8 als kritisch eingestuft: ... --------------------------------------------- http://www.cert.at/warnings/all/20180329-2.html ∗∗∗ Kritische Sicherheitslücke in Drupal - Updates verfügbar ∗∗∗ --------------------------------------------- Kritische Sicherheitslücke in Drupal - Updates verfügbar 29. März 2018 Beschreibung In der verbreiteten CMS-Software Drupal ist eine kritische Sicherheitslücke entdeckt worden. Durch Ausnutzung dieses Fehlers kann auf betroffenen Systemen beliebiger Code (mit den Rechten des Webserver-Users) ausgeführt werden. CVE-Nummer: CVE-2018-7600 --------------------------------------------- http://www.cert.at/warnings/all/20180329.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7, graphicsmagick, libdatetime-timezone-perl, thunderbird, and tzdata), Fedora (gd, libtiff, mozjs52, and nmap), Gentoo (thunderbird), Red Hat (openstack-tripleo-common, openstack-tripleo-heat-templates and sensu), SUSE (kernel, libvirt, and memcached), and Ubuntu (icu, librelp, openssl, and thunderbird). --------------------------------------------- https://lwn.net/Articles/750432/ ∗∗∗ Bugtraq: CA20180328-01: Security Notice for CA API Developer Portal ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541902 ∗∗∗ IBM Security Bulletin: IBM SPSS Statistics is affected by an Apache Poi vulnerability (CVE-2017-12626) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22015075 ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Worklight and IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg2C1000372 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVE-2017-10295, CVE-2017-10345, CVE-2017-10355, CVE-2017-10356) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22013651 ∗∗∗ IBM Security Bulletin: IBM MQ Clients can send a specially crafted message that could cause a channel to SIGSEGV. (CVE-2017-1747) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012992 ∗∗∗ IBM Security Bulletin: Vulnerabilities in OpenSSL affect MegaRAID Storage Manager (CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099794 ∗∗∗ cURL and libcurl vulnerability CVE-2017-2628 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35453761 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2018
by Daily end-of-shift report 28 Mar '18

28 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-03-2018 18:00 − Mittwoch 28-03-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Many VPN Providers Leak Customers IP Address via WebRTC Bug ∗∗∗ --------------------------------------------- Around 20% of todays top VPN solutions are leaking the customers IP address via a WebRTC bug known since January 2015, and which apparently some VPN providers have never heard of. --------------------------------------------- https://www.bleepingcomputer.com/news/security/many-vpn-providers-leak-cust… ∗∗∗ 10 Best Practices for Mobile App Penetration Testing ∗∗∗ --------------------------------------------- Penetration testing is one of the best ways to thoroughly check your defense perimeters for security weaknesses. Pentesting can be used across the entire spectrum of an IT infrastructure, including network, web application and database security. But today [...] --------------------------------------------- http://resources.infosecinstitute.com/10-best-practices-mobile-app-penetrat… ∗∗∗ How to Set Up a Web App Pentesting Lab in 4 Easy Steps ∗∗∗ --------------------------------------------- A pentesting lab can be a small entity used by one security tester, consisting of one or two computers; or it could be a larger set of networked computers behind a closed or secured network, used by a group of security testers. --------------------------------------------- http://resources.infosecinstitute.com/set-web-app-pentesting-lab-4-easy-ste… ∗∗∗ Security baseline for Windows 10 v1803 “Redstone 4” – DRAFT ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the draft release of the security configuration baseline settings for the upcoming Windows 10 version 1803, codenamed "Redstone 4." Please evaluate this proposed baseline and send us your feedback via blog comments below. Download the content here: DRAFT-Windows-10-v1803-RS4 The downloadable attachment to this blog post includes importable GPOs, scripts for applying [...] --------------------------------------------- https://blogs.technet.microsoft.com/secguide/2018/03/27/security-baseline-f… ∗∗∗ Unmasking Monero: stripping the currency’s privacy protection ∗∗∗ --------------------------------------------- The features that make blockchains trustworthy may leave them vulnerable to retrospective action. --------------------------------------------- https://nakedsecurity.sophos.com/2018/03/28/unmasking-monero-stripping-the-… ∗∗∗ TA18-086A: Brute Force Attacks Conducted by Cyber Actors ∗∗∗ --------------------------------------------- [...] According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad. On February 2018 [...] --------------------------------------------- https://www.us-cert.gov/ncas/alerts/TA18-086A ∗∗∗ Legacy technologies as a threat to EU's telecommunications infrastructure ∗∗∗ --------------------------------------------- EU level assessment of the current sets of protocols used in interconnections in telecommunications (SS7, Diameter). --------------------------------------------- https://www.enisa.europa.eu/news/enisa-news/legacy-technologies-as-a-threat… ∗∗∗ Internet Ombudsmann und Watchlist Internet Jahresbericht 2017 ∗∗∗ --------------------------------------------- Der Internet Ombudsmann informiert auf der Watchlist Internet über Internet-Betrug, Fallen und Fakes. Die Watchlist Internet verfolgt das Ziel, Leser/innen dabei zu helfen, dass sie Verbrechensversuche erkennen und keine Opfer von Cybercrime werden. Im vergangenen Jahr 2017 verfügte die Watchlist Internet über 906 redaktionelle Beiträge und verzeichnete 1,45 Millionen Seitenaufrufe. --------------------------------------------- https://www.watchlist-internet.at/news/internet-ombudsmann-und-watchlist-in… ∗∗∗ Betrügerische Mahnungen von Prolex Inkasso ∗∗∗ --------------------------------------------- Konsument/innen erhalten im Auftrag von unseriösen Streaming-Plattformen eine Mahnung von Prolex Inkasso. Darin heißt es, dass Empfänger/innen ihre offenen Rechnungen nicht beglichen haben. Deshalb sollen sie 467,16 Euro an Prolex zahlen. Die Mahnung ist betrügerisch, eine Zahlungspflicht besteht nicht. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-mahnungen-von-prolex-… ===================== = Vulnerabilities = ===================== ∗∗∗ Apples Festplattendienstprogramm "Disk Util.app" von macOS 10.13 High Sierra kann Passwort von verschlüsselten APFS-Dateisystemen offenlegen ∗∗∗ --------------------------------------------- Die Ausnutzung der Schwachstelle ermöglicht es einem lokalen Angreifer mit Administratorrechten und Zugriff auf das System-Log mit Besitz des externen Datenträgers das verschlüsselte APFS-Dateisystem zu entschlüsseln. Alle Nutzer des Festplattenprogramms sollten auf Ihren Systemen die neueste Version installieren, sobald diese zur Verfügung steht. Bis dahin sollten die Nutzer [...] --------------------------------------------- https://www.bsi-fuer-buerger.de/SharedDocs/Warnmeldungen/DE/TW/2018/03/warn… ∗∗∗ Schneider Electric Modicon Premium, Modicon Quantum, Modicon M340, and Modicon BMXNOR0200 ∗∗∗ --------------------------------------------- This advisory includes mitigations for several vulnerabilities in the Schneider Electric Modicon Premium, Modicon Quantum, Modicon M340, and Modicon BMXNOR0200 PLCs. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSA-18-086-01 ∗∗∗ Philips Alice 6 Vulnerabilities ∗∗∗ --------------------------------------------- This advisory includes mitigation recommendations for improper authentication and missing data encryption vulnerabilities identified in the Philips Alice 6 System product. --------------------------------------------- https://ics-cert.us-cert.gov/advisories/ICSMA-18-086-01 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (slf4j), Debian (firefox-esr, mupdf, net-snmp, and samba), Fedora (apache-commons-compress, calibre, chromium, glpi, kernel, libvncserver, libvorbis, mozjs52, ntp, slurm, sqlite, and wireshark), openSUSE (librelp), SUSE (librelp, LibVNCServer, and qemu), and Ubuntu (firefox and zsh). --------------------------------------------- https://lwn.net/Articles/750291/ ∗∗∗ Vuln: ImageMagick CVE-2018-8960 Heap Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/bid/103523 ∗∗∗ Security Advisory - Improper Authorization Vulnerability on Huawei Switch Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2018/huawei-sa-20180328-… ∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK Affect IBM B2B Advanced Communications ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014642 ∗∗∗ IBM Security Bulletin: Vulnerability in OpenSSH affects IBM DataPower Gateways (CVE-2017-15906) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014534 ∗∗∗ IBM Security Bulletin: The Elastic Storage Server and the GPFS Storage Server are affected by a vulnerability in IBM Spectrum Scale (CVE-2017-1654) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1012162 ∗∗∗ RSA Authentication Agent for Web Multiple Flaws Let Remote Users Deny Service and Conduct Cross-Site Scripting Attacks and Let Local Users Obtain Potentially Sensitive Information ∗∗∗ --------------------------------------------- http://www.securitytracker.com/id/1040577 ∗∗∗ [R1] Tenable Appliance 4.7.0 Fixes One Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2018-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2018
by Daily end-of-shift report 27 Mar '18

27 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Montag 26-03-2018 18:00 − Dienstag 27-03-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Academics Discover New CPU Side-Channel Attack Named BranchScope ∗∗∗ --------------------------------------------- A team of academics from four US universities have discovered a new side-channel attack that takes advantage of the speculative execution feature in modern processors to recover data from users CPUs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/academics-discover-new-cpu-s… ∗∗∗ Exploit kit development has gone to sh$t... ever since Adobe Flash was kicked to the curb ∗∗∗ --------------------------------------------- Coinkidink? Nah. Crooks are switching tactics There was a big drop in exploit kit development last year, and experts have equated this to the phasing out of Adobe Flash. --------------------------------------------- http://go.theregister.com/feed/www.theregister.co.uk/2018/03/27/exploit_kit… ∗∗∗ E-Mail-Verschlüsselung: Enigmail 2.0 ist da ∗∗∗ --------------------------------------------- Mit der neuen Enigmail-Version 2.0 für den Mail-Client Thunderbird kann man unter anderem neben Text in Mails nun auch die Betreffzeile verschlüsseln. --------------------------------------------- https://heise.de/-4005589 ∗∗∗ The Last Windows XP Security White Paper ∗∗∗ --------------------------------------------- Using the strategies and procedures we present in our paper could help prevent an attacker from taking control of your computer --------------------------------------------- https://www.welivesecurity.com/2018/03/27/last-windows-xp-security-white-pa… ===================== = Vulnerabilities = ===================== ∗∗∗ Mozilla Releases Security Updates for Firefox ∗∗∗ --------------------------------------------- Original release date: March 27, 2018 Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to cause a denial-of-service condition. NCCIC/US-CERT encourages users and administrators to review the Mozilla Security Advisory for Firefox 59.0.2 and Firefox ESR 52.7.3 and apply the necessary updates. --------------------------------------------- https://www.us-cert.gov/ncas/current-activity/2018/03/27/Mozilla-Releases-S… ∗∗∗ 2018-02-06 (updated 2018-03-27): Vulnerability in MicroSCADA Pro SYS600 9.x - Improper Access Control ∗∗∗ --------------------------------------------- 3.2.2018 Original document, 16.3.2018 Fix for SYS600 9.3 systems is available. Clarified file system permissions for created Windows groups, see FAQ. --------------------------------------------- http://search.abb.com/library/Download.aspx?DocumentID=1MRS257731&LanguageC… ∗∗∗ OpenSSL Security Advisory [27 Mar 2018] ∗∗∗ --------------------------------------------- Constructed ASN.1 types with a recursive definition could exceed the stack (CVE-2018-0739) Incorrect CRYPTO_memcmp on HP-UX PA-RISC (CVE-2018-0733) rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738) --------------------------------------------- https://openssl.org/news/secadv/20180327.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, irssi, and librelp), Gentoo (busybox and plib), Mageia (exempi and jupyter-notebook), openSUSE (clamav, dhcp, nginx, python-Django, python3-Django, and thunderbird), Oracle (slf4j), Red Hat (slf4j), Scientific Linux (slf4j), Slackware (firefox), SUSE (librelp), and Ubuntu (screen-resolution-extra). --------------------------------------------- https://lwn.net/Articles/750207/ ∗∗∗ Bugtraq: Microsoft Skype Mobile v81.2 & v8.13 - Remote Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541897 ∗∗∗ DFN-CERT-2018-0574: Librelp: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes mit den Rechten des Dienstes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0574/ ∗∗∗ DFN-CERT-2018-0573: Jenkins-Plugins: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0573/ ∗∗∗ DFN-CERT-2018-0575: Sophos UTM: Eine Schwachstelle ermöglicht die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0575/ ∗∗∗ DFN-CERT-2018-0581: Apache Struts: Eine Schwachstelle ermöglicht einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0581/ ∗∗∗ Security Notice - Statement on Command Injection Vulnerability in Huawei HG655m Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-notices/2018/huawei-sn-20180327-01-… ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Fabric Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/home/docdisplay?lndocid=MIGR-5099782 ∗∗∗ IBM Security Bulletin: ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=isg3T1027315 ∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014717 ∗∗∗ IBM Security Bulletin: IBM B2B Advanced Communications is Affected by an XML External Entity Injection (XXE) Attack when Processing XML Data ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014656 ∗∗∗ IBM Security Bulletin: Security Bulletin: IBM Security Privileged Identity Manager is affected by sensitive information in page comments vulnerability (CVE-2017-1705) ∗∗∗ --------------------------------------------- http://www.ibm.com/support/docview.wss?uid=swg22014988 ∗∗∗ NTP vulnerability CVE-2018-7184 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13540723 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2018
by Daily end-of-shift report 26 Mar '18

26 Mar '18

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-03-2018 18:00 − Montag 26-03-2018 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Microsoft unterbindet RDP-Anfragen von ungepatchten Clients ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in Microsofts Credential Security Support Provider versetzt Angreifer in die Lage, beliebigen Code auszuführen. Deswegen unterbindet das Unternehmen demnächst Verbindungsversuche ungepatchter Clients, Admins sollten also schnell handeln. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-microsoft-unterbindet-rdp-anfra… ∗∗∗ Threat Landscape for Industrial Automation Systems in H2 2017 ∗∗∗ --------------------------------------------- Kaspersky Lab ICS CERT publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017. The main objective of these publications is to provide information support to incident response teams, enterprise information security staff and researchers in the area of industrial facility security. --------------------------------------------- http://securelist.com/threat-landscape-for-industrial-automation-systems-in… ∗∗∗ KVA Shadow: Mitigating Meltdown on Windows ∗∗∗ --------------------------------------------- On January 3rd, 2018, Microsoft released an advisory and security updates that relate to a new class of discovered hardware vulnerabilities, termed speculative execution side channels, that affect the design methodology and implementation decisions behind many modern microprocessors. This post dives into the technical details of Kernel Virtual Address (KVA) Shadow which is the Windows [...] --------------------------------------------- https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-me… ∗∗∗ Adding Backdoors at the Chip Level ∗∗∗ --------------------------------------------- Interesting research into undetectably adding backdoors into computer chips during manufacture: "Stealthy dopant-level hardware Trojans: extended version," also available here:Abstract: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing [...] --------------------------------------------- https://www.schneier.com/blog/archives/2018/03/adding_backdoor.html ∗∗∗ Web Application Penetration Testing Cheat Sheet ∗∗∗ --------------------------------------------- This cheatsheet is intended to run down the typical steps performed when conducting a web application penetration test. I will break these steps down into sub-tasks and describe the tools I recommend using at each level. --------------------------------------------- https://jdow.io/blog/2018/03/18/web-application-penetration-testing-methodo… ∗∗∗ Gefälschte A1-Mail fordert SIM-Karten-Aktualisierung ∗∗∗ --------------------------------------------- Kriminelle versenden eine gefälschte A1-Nachricht. Darin fordern sie Kund/innen dazu auf, dass sie ihre SIM-Karten-Details aktualisieren. Das soll auf einer gefälschten A1-Website geschehen. Kund/innen, die der Aufforderung nachkommen, übermitteln sensible Informationen an Kriminelle und werden Opfer eines Datendiebstahls. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-a1-mail-fordert-sim-kart… ∗∗∗ Achtung vor gefälschter Klarna-Rechnung! ∗∗∗ --------------------------------------------- Unter dem Betreff "Offene Rechnung von Klarna" versenden Kriminelle gefälschte Rechnungen. EmpfängerInnen werden in der E-Mail aufgefordert eine angehängte ZIP-Datei zu öffnen, um weiterführende Informationen zu offenen Beträgen zu erhalten. Die ZIP-Datei enthält jedoch Schadsoftware, Betroffene dürfen die Datei daher nicht öffnen und sollten die E-Mail löschen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-gefaelschter-klarna-rech… ∗∗∗ Forgot About Default Accounts? No Worries, GoScanSSH Didn’t ∗∗∗ --------------------------------------------- This blog post was authored by Edmund Brumaghin, Andrew Williams, and Alain Zidouemba.Executive SummaryDuring a recent Incident Response (IR) engagement, Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics. This is not the first malware family that Talos has observed that was written using Go. --------------------------------------------- http://blog.talosintelligence.com/2018/03/goscanssh-analysis.html ∗∗∗ One Year Later, Hackers Still Target Apache Struts Flaw ∗∗∗ --------------------------------------------- One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers. The vulnerability in question, tracked as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The security hole was addressed on March 6, 2017 with the release of versions 2.3.32 and 2.5.10.1. The bug, caused due to improper handling of the Content-Type header, can be [...] --------------------------------------------- https://www.securityweek.com/one-year-later-hackers-still-target-apache-str… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bchunk, thunderbird, and xerces-c), Debian (freeplane, icu, libvirt, and net-snmp), Fedora (monitorix, php-simplesamlphp-saml2, php-simplesamlphp-saml2_1, php-simplesamlphp-saml2_3, puppet, and qt5-qtwebengine), openSUSE (curl, libmodplug, libvorbis, mailman, nginx, opera, python-paramiko, and samba, talloc, tevent), Red Hat (python-paramiko, rh-maven35-slf4j, rh-mysql56-mysql, rh-mysql57-mysql, rh-ruby22-ruby, rh-ruby23-ruby, and [...] --------------------------------------------- https://lwn.net/Articles/750150/ ∗∗∗ Bugtraq: Cross-Site Scripting vulnerability in Zimbra Collaboration Suite due to the way it handles attachment links ∗∗∗ --------------------------------------------- http://www.securityfocus.com/archive/1/541891 ∗∗∗ Norton App Lock Authentication Bypass ∗∗∗ --------------------------------------------- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se… ∗∗∗ DFN-CERT-2018-0566: Nmap: Eine Schwachstelle ermöglicht das Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0566/ ∗∗∗ DFN-CERT-2018-0569: Moodle: Zwei Schwachstellen ermöglichen u.a. einen Denial-of-Service-Angriff ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0569/ ∗∗∗ DFN-CERT-2018-0571: Mozilla Thunderbird: Mehrere Schwachstellen ermöglichen u.a. die Ausführung beliebigen Programmcodes ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0571/ ∗∗∗ DFN-CERT-2018-0570: Apache Software Foundation HTTP-Server (httpd): Mehrere Schwachstellen ermöglichen u.a. die Manipulation von Sitzungsdaten ∗∗∗ --------------------------------------------- https://portal.cert.dfn.de/adv/DFN-CERT-2018-0570/ ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in Business Space affects IBM Business Process Manager, WebSphere Process Server, and WebSphere Enterprise Service Bus (CVE-2018-1384) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012604 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (CVE-2017-1767) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22012396 ∗∗∗ IBM Security Bulletin: Potential information leakage in IBM Business Process Manager (CVE-2017-1756) ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22010796 ∗∗∗ IBM Security Bulletin: Cross-site scripting vulnerability affects Rational Engineering Lifecycle Manager ∗∗∗ --------------------------------------------- http://www-01.ibm.com/support/docview.wss?uid=swg22014831 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily