=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 18-05-2017 18:00 − Freitag 19-05-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** How did the WannaCry Ransomworm spread? ***
---------------------------------------------
Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. How did it all happen?
---------------------------------------------
https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomwor…
*** Who's responsible for fixing SS7 security issues? ***
---------------------------------------------
The WannaCry ransomware onslaught has overshadowed some of the other notable happenings this month, including the spectacular Google-themed phishing/spamming attack, and the news that attackers have managed to exploit vulnerabilities in the SS7 protocol suite to bypass German banks' two-factor authentication and drain their customers' bank accounts. According to the reports, the attackers were able to pull this scheme off by gaining access to the network of a foreign mobile network [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/05/19/ss7-security-issues/
*** Number of HTTPS phishing sites triples ***
---------------------------------------------
When, in January 2017, Mozilla and Google made Firefox and Chrome flag HTTP login pages as insecure, the intent was to make phishing pages easier to recognize, as well as push more website owners towards deploying HTTPS. But while the latter aim was achieved, and the number of phishing sites making use of HTTPS has increased noticeably, the move also had one unintended consequence: the number of phishing sites with HTTPS has increased, too.
---------------------------------------------
https://www.helpnetsecurity.com/2017/05/19/number-https-phishing-sites-trip…
*** Hintergrund: Chrome blockt ab sofort Zertifikate mit Common Name ***
---------------------------------------------
Wenn der seit Jahren etablierte, hauseigene Dienst plötzlich den HTTPS-Zugang verwehrt, liegt das vermutlich an einer Neuerung der aktuellen Chrome-Version: Google erzwingt den Einsatz der RFC-konformen "Subject Alt Names" und viele Admins müssen deshalb jetzt Hand anlegen.
---------------------------------------------
https://heise.de/-3717594
*** Bypassing Application Whitelisting with BGInfo ***
---------------------------------------------
TL;DR: BGinfo.exe older than version 4.22 can be used to bypass application whitelisting using vbscript inside a bgi file. This can run directly from a webdav server.
---------------------------------------------
https://msitpros.com/?p=3831
*** "Four Keys to Effective ICS Incident Response" ***
---------------------------------------------
While incident response in Information Technology (IT) and Operational Technology (OT) or Industrial Control Systems (ICS) may appear to be very similar, incident response in an ICS environment has different considerations and priorities. Many organizations leverage their existing IT incident response capabilities in an OT environment which may not be ideal for successful incident response [...]
---------------------------------------------
http://ics.sans.org/blog/2017/05/19/four-keys-to-effective-ics-incident-res…
*** ETERNALBLUE vs Internet Security Suites and nextgen protections ***
---------------------------------------------
Due to the recent #wannacry ransomware events, we initiated a quick test in our lab. Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010). Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)!
---------------------------------------------
https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nex…
*** Forensik-Tool soll gelöschte Notizen aus iCloud auslesen können ***
---------------------------------------------
Der Softwareanbieter Elcomsoft hat seine App "Phone Breaker" um eine Funktion erweitert, die den Umstand ausnutzt, dass Apple offenbar auch vom Nutzer eigentlich vernichtete Notizen länger aufbewahrt.
---------------------------------------------
https://heise.de/-3718361
*** MS17-010 (Ransomware WannaCry) Impact to Cisco Products ***
---------------------------------------------
The Cisco PSIRT Team is continuing to investigate the impact of this vulnerability on Cisco products that have not reached end of software maintenance support and that do not support automated or manual updates of the Microsoft patch for these vulnerabilities. Investigation is expected to be completed by Friday, May 19th.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco…
*** HPESBGN03748 rev.1 - HPE Cloud Optimizer, Remote Disclosure of Information ***
---------------------------------------------
A potential security vulnerability has been identified in HPE Cloud Optimizer. The vulnerability could be remotely exploited resulting in disclosure of information.
---------------------------------------------
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn037…
*** Bugtraq: Nextcloud/Owncloud - Reflected Cross Site Scripting in error pages ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540569
*** DSA-3855 jbig2dec - security update ***
---------------------------------------------
Multiple security issues have been found in the JBIG2 decoder library,which may lead to denial of service, disclosure of sensitive informationfrom process memory or the execution of arbitrary code if a malformedimage file (usually embedded in a PDF document) is opened.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3855
*** Indicators Associated With WannaCry Ransomware (Update C) ***
---------------------------------------------
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01B Indicators Associated With WannaCry Ransomware that was published May 17, 2017, on the NCCIC/ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01C
*** McAfee Network Data Loss Prevention Multiple Bugs Let Remote Users Conduct Session Hijacking and Cross-Site Scripting Attacks and Obtain Potentially Sensitive Information ***
---------------------------------------------
http://www.securitytracker.com/id/1038523
*** VMSA-2017-0009 ***
---------------------------------------------
VMware Workstation update addresses multiple security issues
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2017-0009.html
*** DFN-CERT-2017-0885: Red Hat JBoss Enterprise Application Platform, RESTEasy: Eine Schwachstelle ermöglicht das Ausführen beliebigen Programmcodes ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0885/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Samba vulnerability issue on IBM Storwize V7000 Unified (CVE-2016-2125, CVE-2016-2126) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010052
---------------------------------------------
*** IBM Security Bulletin: IBM Cisco Switches and Directors vulnerable to Sweet32 Birthday attacks (CVE-2016-2183 CVE-2016-6329). ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010239
---------------------------------------------
*** IBM Security Bulletin: IBM Content Navigator Cross Site Scripting Vulnerability ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002356
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in Network Security Services (NSS) component affect SAN Volume Controller, Storwize family and FlashSystem V9000 products. ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010118
---------------------------------------------
*** IBM Security Bulletin: Open redirect vulnerability in IBM Business Process Manager (CVE-2017-1159) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22000253
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in OpenSSL affect IBM SONAS (CVE-2017-3731) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010136
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 17-05-2017 18:00 − Donnerstag 18-05-2017 18:00
Handler: Stephan Richter
Co-Handler: Alexander Riepl
*** Bootstrap - Critical - Information Disclosure - SA-CONTRIB-2017-048 ***
---------------------------------------------
This theme enables you to bridge the gap between the Bootstrap Framework and Drupal. The theme does not sufficiently exclude the submitted password value when an incorrect value ..
---------------------------------------------
https://www.drupal.org/node/2879177
*** 4022345 - Identifying and correcting failure of Windows Update client to receive updates - Version: 1.3 ***
---------------------------------------------
Microsoft is releasing this security advisory to provide information related to an uncommon deployment scenario in which the Windows Update Client may not properly scan for, or download, updates. This scenario may affect customers who installed ..
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/4022345
*** iPrint Appliance 2.0 Patch 5 ***
---------------------------------------------
iPrint Appliance 2.0 Patch 5 includes bug fixes, security fixes and a consolidation of previously released patches and hot patches for the iPrint Appliance 2.0.
---------------------------------------------
https://download.novell.com/Download?buildid=nKiTte1j9yM~
*** iPrint Appliance 2.1 Patch 3 ***
---------------------------------------------
iPrint Appliance 2.1 Patch 3 is a cumulative patch including fixes from all the previous 2.1 patches and hot fixes.
---------------------------------------------
https://download.novell.com/Download?buildid=4QmSWkUlwrA~
*** Indicators Associated With WannaCry Ransomware (Update B) ***
---------------------------------------------
This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01A Indicators Associated With WannaCry Ransomware that was published May 16, 2017, on the NCCIC/ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01B
*** My Little CVE Bot ***
---------------------------------------------
The massive spread of the WannaCry ransomware last Friday was another good proof that many organisations still fail to patch their systems. Everybody admits that patching is a boring task. They are many constraints that make this process very difficult to implement ..
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22432
*** Handbrake-Trojaner: Quellcode des Mac-Entwicklerstudios Panic entwendet ***
---------------------------------------------
Die auf Mac-Nutzer abzielene Malware “Proton” hat ein erstes prominentes Opfer gefordert: Unbekannte klauten den Quelltext zu mehreren Apps des Entwicklerstudios Panic. Kundendaten sind nicht betroffen, betont das Unternehmen.
---------------------------------------------
https://heise.de/-3716479
*** Why the most successful Retefe spam campaign never paid off ***
---------------------------------------------
Switzerland is one of the main targets of the Retefe banking trojan since its first appearance in November 2013. At ..
---------------------------------------------
https://securityblog.switch.ch/2017/05/18/why-the-most-successful-retefe-sp…
*** SSB-412479 (Last Update 2017-05-17): Customer Information on WannaCry Malware for Siemens Healthineers Imaging and Diagnostics Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-412479…
*** [2017-05-18] Multiple critical vulnerabilities in Western Digital TV Media Player ***
---------------------------------------------
Multiple critical vulnerabilities, such as unauthenticated arbitrary file upload or local file inclusion, within the WDTV Media Player devices allow an attacker to take over the device over the network.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** Security Alert: BlueDoom Worm Caught Spreading through EternalBlue, Integrates Batch of Leaked NSA Exploits ***
---------------------------------------------
Unfortunately for users who haven’t patched their systems yet after the WannaCry ransomware campaign, there has been an increase in attempts to abuse the EternalBlue exploit in the past few ..
---------------------------------------------
https://heimdalsecurity.com/blog/bluedoom-worm-eternablue-nsa-exploits/
*** ATM Black Box attacks: 27 arrested all over Europe ***
---------------------------------------------
The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM Black Box attacks across ..
---------------------------------------------
https://www.helpnetsecurity.com/2017/05/18/black-box-attacks/
*** 22 Cisco Security Advisories 2017-05-17 ***
---------------------------------------------
1 Critical, 3 High, 18 Medium
---------------------------------------------
https://tools.cisco.com/security/center/publicationListing.x
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 16-05-2017 18:00 − Mittwoch 17-05-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Jetzt patchen: Gerfährliche Sicherheitslücke in Joomla ***
---------------------------------------------
Das Joomla-Team schließt mit Version 3.7.1 eine SQL-Injection-Lücke, die fatale Folgen haben kann. Joomla-Admins sollten zügig reagieren.
---------------------------------------------
https://heise.de/-3716175
*** WordPress-Update 4.7.5 schließt sechs Sicherheitslücken ***
---------------------------------------------
Zwar werden keine der Lücken als kritisch eingestuft, Admins sollten sich aber trotzdem um die XSS- und CSRF-Lücken kümmern.
---------------------------------------------
https://heise.de/-3716055
*** Extending Microsoft Edge Bounty Program ***
---------------------------------------------
Over the past 10 months, we've paid out more than $200,000 USD in bounties to researchers reporting vulnerabilities through the Microsoft Edge Bounty Program. Partnering with the research community has helped improve Microsoft Edge security, and to continue this collaboration, today we're extending the end date of the Edge on Windows Insider Preview (WIP) bounty...
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2017/05/16/extending-microsoft-edg…
*** BSI veröffentlicht Mindeststandard für Mobile Device Management ***
---------------------------------------------
Der Mindeststandard definiert in 40 technischen und organisatorischen Regeln die Anforderungen an MDM-Systeme des Bundes sowie deren Betrieb. Er definiert, welche Richtlinien ein System umsetzen können muss, lässt aber Spielraum bei deren Ausgestaltung.
---------------------------------------------
https://heise.de/-3715500
*** Basic Best Practices for Securing LDAP and Active Directory with Red Hat ***
---------------------------------------------
In the enterprise, its very popular to manage Windows client PCs through Red Hat servers. This sort of configuration is especially common in healthcare and the financial services industries. Red Hat Enterprise Linux (RHEL) has good software for working with Windows Active Directory. Red Hat Enterprise Linux can also manage clients with multiple platforms, such as Windows, OS X, Android, and other Linux distributions with OpenLDAP, an opensource implementation of the Lightweight Directory Access [...]
---------------------------------------------
https://www.alienvault.com/blogs/security-essentials/basic-best-practices-f…
*** Gefälschtes easybank-Schreiben: Konto gesperrt ***
---------------------------------------------
Kriminelle versenden eine gefälschte easybank-Nachricht. Darin heißt es, dass Unbekannte auf das Konto zugegriffen haben. Deshalb sollen Kund/innen eine Website aufrufen, persönliche Bankdaten bekannt geben und ihr Konto bestätigen. Wer die verlangten Informationen Preis gibt, übermittelt sie an Verbrecher/innen.
---------------------------------------------
https://www.watchlist-internet.at/phishing/gefaelschtes-easybank-schreiben-…
*** Why Phishing Attacks Succeed ***
---------------------------------------------
The first time I received a "secure" email message from my bank, I was a bit suspicious of what I was actually seeing. It looked too much like a phishing attempt for my comfort. The message in my inbox was from my banker's email address, not from Chase 1 directly. It also included an attached HTML page and instructions to "open the attached page in an browser for instructions on how to proceed."
---------------------------------------------
https://ttmm.io/tech/why-phishing-attacks-succeed/
*** How Big Fuzzing helps find holes in open source projects ***
---------------------------------------------
Googles beta project, OSS-Fuzz, has found 264 vulnerabilities in 47 open-source projects - so is it an idea whose time has come?
---------------------------------------------
https://nakedsecurity.sophos.com/2017/05/17/how-big-fuzzing-helps-find-hole…
*** Security Advisory - DoS Vulnerability in Some Huawei Products ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170517-…
*** SSB-412479 (Last Update 2017-05-16): Customer Information on WannaCry Malware for Siemens Healthineers Imaging and Diagnostics Products ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-421479…
*** Indicators Associated With WannaCry Ransomware (Update A) ***
---------------------------------------------
This updated alert is a follow-up to the original alert titled ICS-ALERT-17-135-01 Indicators Associated With WannaCry Ransomware that was published May 15, 2017, on the NCCIC/ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01A
*** FortiOS stored XSS vulnerability in the policy global-label parameter ***
---------------------------------------------
FortiOS is subject to a Cross-Site Scripting vulnerability, due to an improperly sanitized parameter in a hidden CLI configuration setting named global-label . This can however only be exploited by an administrator with write privileges.
---------------------------------------------
http://fortiguard.com/psirt/FG-IR-17-057
*** NTP vulnerability CVE-2017-6463 ***
---------------------------------------------
NTP vulnerability CVE-2017-6463. Security Advisory. Security Advisory Description. NTP before 4.2.8p10 and 4.3.x before ...
---------------------------------------------
https://support.f5.com/csp/article/K02951273
*** Linux kernel vulnerability CVE-2017-8106 ***
---------------------------------------------
Linux kernel vulnerability CVE-2017-8106. Security Advisory. Security Advisory Description. The handle_invept function ...
---------------------------------------------
https://support.f5.com/csp/article/K34886212
*** Schneider Electric VAMPSET ***
---------------------------------------------
This advisory contains mitigation details for a memory corruption vulnerability in Schneider Electric's VAMPSET.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-136-04
*** Detcon SiteWatch Gateway ***
---------------------------------------------
This advisory contains mitigation details for authentication bypass and plaintext storage of a password vulnerabilities in Detcon's SiteWatch Gateway.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-136-01
*** Hanwha Techwin SRN-4000 ***
---------------------------------------------
This advisory contains mitigation details for an unauthenticated access vulnerability in Hanwha Techwin's SRN-4000.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-136-03
*** Schneider Electric SoMachine HVAC ***
---------------------------------------------
This advisory contains mitigation details for buffer overflow and DLL hijack vulnerabilities in Schneider Electric's SoMachine HVAC.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-136-02
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Security Network Protection ***
http://www-01.ibm.com/support/docview.wss?uid=swg21999513
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in IBM Java SDK affects IBM Algo One Algo Risk Application and Core (CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg22000818
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003157
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Monitoring ***
http://www.ibm.com/support/docview.wss?uid=swg22002865
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Integration Designer and WebSphere Integration Developer ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002555
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One Core (CVE-2016-8745) ***
http://www.ibm.com/support/docview.wss?uid=swg22001932
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in OpenSSH affects IBM Security Network Protection (CVE-2015-8325) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21999248
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime IBM affect IBM Decision Optimization Center and IBM ILOG ODM Enterprise ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003304
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM ILOG CPLEX Optimization Studio ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003305
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in GNU C library (glibc) affect IBM Security Network Protection ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001907
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network Protection (CVE-2016-8610, and CVE-2017-3731) ***
http://www-01.ibm.com/support/docview.wss?uid=swg21999162
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in NTP affect IBM Security Network Protection ***
http://www-01.ibm.com/support/docview.wss?uid=swg21999246
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 15-05-2017 18:00 − Dienstag 16-05-2017 18:00
Handler: Petr Sikuta
Co-Handler: Stephan Richter
*** WannaCry? Do your own data analysis., (Tue, May 16th) ***
---------------------------------------------
In God we trust. All others must bring data ~Bob Rudis With endless amounts of data, technical detail, and insights on WannaCrypt/WannaCry, and even more FUD, speculation, and even downright trolling, herein is a proposal for you to do your own data-driven security analysis. My favorite book to help you scratch that itch? Data Driven Security: Analysis, Visualization and Dashboards, by Jay Jacobs Bob Rudis. A few quick samples, using WannaCry data and R, the open source programming language and [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22424&rss
*** Digital signature service DocuSign hacked and email addresses stolen ***
---------------------------------------------
Digital signature service DocuSign said Monday that an unnamed third-party had got access to email addresses of its users after hacking into its systems.The hackers gained temporary access to a peripheral sub-system for communicating service-related announcements to users through email, the company said. It confirmed after what it described as a complete forensic analysis that only email addresses were accessed, and not other details such as names, physical addresses, passwords, social security [...]
---------------------------------------------
http://www.cio.com/article/3196854/security/digital-signature-service-docus…
*** Apple-Updates schließen unangenehme Sicherheitslücken in iCloud, iTunes und iOS ***
---------------------------------------------
Patchday bei Apple: Das BSI warnt vor mehreren Sicherheitslücken in iTunes und iCloud auf Windows, sowie dem Mobilbetriebssystem iOS, die es Angreifern ermöglichen, Code auszuführen. Anwender sollten sicherstellen, dass die Updates installiert wurden
---------------------------------------------
https://heise.de/-3715077
*** Chrome Browser Hack Opens Door to Credential Theft ***
---------------------------------------------
Researchers at DefenseCode claim a vulnerability in Google's Chrome browser allows hackers to steal credentials and launch SMB relay attacks.
---------------------------------------------
http://threatpost.com/chrome-browser-hack-opens-door-to-credential-theft/12…
*** Cisco Snort++ Protocol Decoder Denial of Service Vulnerabilities ***
---------------------------------------------
Two vulnerabilities in the protocol decoders of Snort++ (Snort 3) could allow an unauthenticated, remote attacker to create a Denial of Service (DoS) condition.The vulnerabilities are due to lack of validation in the protocol decoders. An attacker could exploit these vulnerabilities by crafting a malicious packet and sending it through the targeted device. A successful exploit could allow the attacker to cause a DoS condition if the Snort process restarts and traffic inspection is bypassed or [...]
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Indicators Associated With WannaCry Ransomware ***
---------------------------------------------
This alert is a follow-up to US-CERT alert TA17-132A Indicators Associated With WannaCry Ransomware, which was originally posted to the US-CERT web site on May 12, 2017.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01
*** Novell Messenger 3.0.3 P3 ***
---------------------------------------------
Abstract: Novell Messenger 3.0.3 P3 has been released. This release only includes fixes for the Linux platform. Please view the Change Log for modifications made to the program. There have also been changes to update security issues with the product. Please see the Security Fix section for details. NOTE: This version is not designed to work with eDir 9. If you require eDir 9 support, contact Micro Focus Technical Support. Document ID: 5296730Security Alert: YesDistribution Type:
---------------------------------------------
https://download.novell.com/Download?buildid=U3MFbmzMet0~
*** IDM 4.6 RACF Driver 4.0.3.1 ***
---------------------------------------------
Abstract: IDM 4.6 Bi-Directional RACF Driver Version 4.0.3.1. This patch is for the Identity Manager 4.6 RACF Driver. Field patch for IDMLOAD.XMT, SAMPLIB.XMT, RACFEXEC.XMTDocument ID: 5297291Security Alert: YesDistribution Type: Field Test FileEntitlement Required: YesFiles:idm46racf-patch1.tar.gz (2.66 MB)Products:Identity Manager 4.5Identity Manager 4.6Superceded Patches:IDM 4.0.2 RACF Driver Version 4.0.0.11 Patch 3
---------------------------------------------
https://download.novell.com/Download?buildid=LSTFMkrcRo0~
*** Apple Security Updates ***
---------------------------------------------
*** macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite ***
https://support.apple.com/kb/HT207797
---------------------------------------------
*** iOS 10.3.2 ***
https://support.apple.com/kb/HT207798
---------------------------------------------
*** watchOS 3.2.2 ***
https://support.apple.com/kb/HT207800
---------------------------------------------
*** tvOS 10.2.1 ***
https://support.apple.com/kb/HT207801
---------------------------------------------
*** iCloud for Windows 6.2.1 ***
https://support.apple.com/kb/HT207803
---------------------------------------------
*** Safari 10.1.1 ***
https://support.apple.com/kb/HT207804
---------------------------------------------
*** iTunes 12.6.1 for Windows ***
https://support.apple.com/kb/HT207805
---------------------------------------------
*** IBM Security Bulletin ***
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime affect IBM SPSS Statistics (CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-2183) ***
http://www.ibm.com/support/docview.wss?uid=swg22002966
---------------------------------------------
*** IBM Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU Jan 2017 Includes Oracle Jan 2017 CPU affect Content Collector for SAP Applications ***
https://www-01.ibm.com/support/docview.wss?uid=swg22001462
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM SONAS ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010199
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in the zlib component affect IBM SPSS Statistics (CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843) ***
http://www.ibm.com/support/docview.wss?uid=swg22003212
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025160
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Informix Dynamic Server and Informix Open Admin Tool ***
http://www.ibm.com/support/docview.wss?uid=swg22002897
---------------------------------------------
*** IBM Security Bulletin: Multiple Vulnerabilities in Expat affects HTTP Server shipped with Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-4472, CVE-2016-0718) ***
http://www.ibm.com/support/docview.wss?uid=swg2C1000234
---------------------------------------------
*** IBM Security Bulletin: Apache Commons FileUpload Vulnerabilities IBM WebSphere MQ (CVE-2016-3092) ***
http://www.ibm.com/support/docview.wss?uid=swg22001563
---------------------------------------------
*** IBM Security Bulletin: Vulnerability CVE-2017-2619 in Samba affects IBM i ***
http://www.ibm.com/support/docview.wss?uid=nas8N1022009
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by a missing secure attribute in the encrypted session (SSL) cookie (CVE-2017-1319) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002871
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by a cross-site scripting vulnerability (CVE-2017-1320) ***
http://www.ibm.com/support/docview.wss?uid=swg22002877
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in GnuTLS and OpenSSL affect IBM Flex System Manager (FSM) (CVE-2016-8610) ***
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024887
---------------------------------------------
*** IBM Security Bulletin: A Vulnerability in IBM Java SDK affects IBM Streams (CVE-2016-5546, CVE-2017-3253, CVE-2016-5548, CVE-2016-5549, CVE-2016-5547, CVE-2016-5552, CVE-2016-2183) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002804
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 12-05-2017 18:00 − Montag 15-05-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Ransomware: Experten warnen vor Zahlung der Wanna-Crypt-Erpressersumme ***
---------------------------------------------
Experten raten davon ab, im Falle einer Infektion mit Wanna Crypt die geforderten Bitcoins zu zahlen, denn offenbar sind die Angreifer vom Erfolg ihrer Operation überrascht. Ein kostenloses Werkzeug zum Wiederherstellen der Daten ist bislang auch nicht verfügbar.
---------------------------------------------
https://www.golem.de/news/ransomware-experten-warnen-vor-zahlung-der-wanna-…
*** WannaCry & Co.: So schützen Sie sich ***
---------------------------------------------
Nach WannaCry ist vor dem nächsten Erpressungstrojaner. Was Gefährdete jetzt tun sollten, wie Sie sich vor Nachahmern schützen können und welche Optionen bleiben, wenn der Verschlüsselungstrojaner schon zugeschlagen hat.
---------------------------------------------
https://heise.de/-3714596
*** Customer Guidance for WannaCrypt attacks ***
---------------------------------------------
Microsoft solution available to protect additional products Today many of our customers around the world and the critical systems they depend on were victims of malicious "WannaCrypt" software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and...
---------------------------------------------
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-w…
*** Security Alert: Uiwix Ransomware Is Here and It Can Be Worse Than Wannacry ***
---------------------------------------------
WannaCry distribution may have dropped, but the ransomware pandemic is not over. As we feared in yesterday's alert, another ransomware variant, known as Uiwix, has begun to spread by exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have huge potential of infection, [...]
---------------------------------------------
https://heimdalsecurity.com/blog/security-alert-uiwix-ransomware/
*** Microsoft posts PowerShell script that spawns pseudo security bulletins ***
---------------------------------------------
A Microsoft manager this week offered IT administrators a way to replicate -- in a fashion -- the security bulletins the company discarded last month."If you want a report summarizing todays #MSRC security bulletins, heres a script that uses the MSRC Portal API," John Lambert, general manager of the Microsoft Threat Intelligence Center, said in a Tuesday message on Twitter.Lamberts tweet linked to code depository GitHub, where he posted a PowerShell script that polled data using a new [...]
---------------------------------------------
http://www.cio.com/article/3196254/windows/microsoft-posts-powershell-scrip…
*** WannaCry/WannaCrypt Ransomware Summary, (Mon, May 15th) ***
---------------------------------------------
The ransomware was first noticed on Fridayand spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 ETERNALBLUE exploit to spread. ETERNALBLUE became public about a month ago in April when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow]. A month prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March Patch Tuesday release. The patch was released [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22420&rss
*** Ein paar Gedanken zu WannaCry ***
---------------------------------------------
Wir haben heute unsere offizielle Warnung bezüglich der WannaCry Ransomware veröffentlicht. Ich will in diesem Blogbeitrag ein bisschen Kontext liefern, und etwas strategischer denken.
---------------------------------------------
http://www.cert.at/services/blog/20170514232126-2007.html
*** DSA-3852 squirrelmail - security update ***
---------------------------------------------
Dawid Golunski and Filippo Cavallarin discovered that squirrelmail, awebmail application, incorrectly handled a user-supplied value. Thiswould allow a logged-in user to run arbitrary commands on the server.
---------------------------------------------
https://www.debian.org/security/2017/dsa-3852
*** EMC Isilon OneFS NFS Export Upgrade ***
---------------------------------------------
Topic: EMC Isilon OneFS NFS Export Upgrade Risk: Medium Text:ESA-2017-027: EMC Isilon OneFS NFS Export Upgrade Vulnerability EMC Identifier: ESA-2017-027 CVE Identifier: CVE-2017-49...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2017050087
*** Security Advisory - WannaCry ransomware Vulnerabilities in Microsoft Windows Systems ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170513-…
*** Security Notice - Statement on "WannaCry ransomware" attacks ***
---------------------------------------------
http://www.huawei.com/en/psirt/security-notices/2017/huawei-sn-20170513-01-…
*** DRD Agent - Critical - Multiple vulnerabilities - SA-CONTRIB-2017-047 ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2017-047Project: DRD agent (third-party module)Version: 6.x, 7.x, 8.xDate: 2017-May-10Security risk: 19/25 ( Critical) AC:Complex/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Cross Site Request Forgery, Open RedirectDescriptionThe Drupal Remote Dashboard (DRD) module enables you to manage and monitor any remote Drupal site and, this module, the DRD Agent is the remote module which responds to requests from authorised DRD sites.The module doesnt [...]
---------------------------------------------
https://www.drupal.org/node/2877392
*** DSA-3854 bind9 - security update ***
---------------------------------------------
Several vulnerabilities were discovered in BIND, a DNS serverimplementation. The Common Vulnerabilities and Exposures projectidentifies the following problems:
---------------------------------------------
https://www.debian.org/security/2017/dsa-3854
*** FortiPortal Multiple Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities impacting FortiPortal were disclosed to Fortinet with details as follows:CVE-2017-7337: Improper Access Control allows a user to potentially view firewall policies and objects from a VDOM s/he is not authorized to, enumerate other customer ADOMs and view other customers dataCVE-2017-7338: Application returns password hashes, and passwords for associated FortiAnalyzer devices via the UICVE-2017-7339: Persistent XSS via the Name and Description fields in the pop-up to add [...]
---------------------------------------------
http://fortiguard.com/psirt/FG-IR-17-114
*** DFN-CERT-2017-0842: Moodle: Mehrere Schwachstellen ermöglichen u.a. einen Cross-Site-Request-Forgery-Angriff ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0842/
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Samba vulnerability issue on IBM SONAS (CVE-2016-2125, CVE-2016-2126 ) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1010051
---------------------------------------------
*** IBM Security Bulletin: Multiple Mozilla Firefox vulnerability issues in IBM Storwize V7000 Unified. ***
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009957
---------------------------------------------
*** IBM Security Bulletin: Tomcat apache vulnerability affects IBM Storwize V7000 Unified ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009993
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java Runtime affects IBM Storwize V7000 Unified (CVE-2016-5597) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009995
---------------------------------------------
*** IBM Security Bulletin: Vulnerability in IBM Java SDK affects IBM SONAS (CVE-2016-5597 ) ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009963
---------------------------------------------
*** IBM Security Bulletin: Open Source Apache Struts Vulnerabilities affect IBM Enterprise Records ***
https://www-01.ibm.com/support/docview.wss?uid=swg22000471
---------------------------------------------
*** IBM Security Bulletin: Vulnerabilities in Struts v2 affect IBM Enterprise Records ***
https://www-01.ibm.com/support/docview.wss?uid=swg22000469
---------------------------------------------
*** IBM Security Bulletin: IBM Tivoli Federated Identity Manager is affected by an XML External Entity vulnerability (CVE-2016-2908) ***
http://www.ibm.com/support/docview.wss?uid=swg22001175
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Donnerstag 11-05-2017 18:00 − Freitag 12-05-2017 18:00
Handler: Olaf Schwarz
Co-Handler: Stephan Richter
*** Telefonica Tells Employees to Shut Down Computers Amid Massive Ransomware Outbreak ***
---------------------------------------------
A ransomware outbreak is wreaking havoc all over the world, but especially in Spain, where Telefonica - one of the countrys biggest telecommunications companies - has fallen victim, and its IT staff is desperately telling employees to shut down computers and VPN connections in order to limit the ransomwares reach.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-t…
*** NHS hit by ransomware attack, hospitals across country shutting down ***
---------------------------------------------
GP told of National hack of the computer health care system Updated Multiple NHS hospitals have shut down systems and are telling patients not to come in due to what is being described as a massive nationwide cyber attack.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/05/12/nhs_hospita…
*** Jaff argh snakes: 5m emails/hour ransomware floods inboxes ***
---------------------------------------------
Locky-style nasty will squeeze you for two whole bitcoins The Necurs botnet has been harnessed to fling a new strain of ransomware dubbed "Jaff".
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/05/12/jaff_ransom…
*** When Bad Guys are Pwning Bad Guys..., (Fri, May 12th) ***
---------------------------------------------
A few months ago, I wrote a diary about webshells[1] and the numerous interesting features they offer. Theyre plenty of web shells available, there are easy to find and install. They are usually delivered as one big obfuscated (read: Base64, ROT13 encoded and gzip'd) PHP file that can be simply dropped on a compromised computer.
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22410
*** Sicherheitslücke: Fehlerhaft konfiguriertes Git-Verzeichnis bei Redcoon ***
---------------------------------------------
Was haben der Online-Händler Redcoon und die Volksverschlüsselung gemeinsam? Ein unsicher konfiguriertes Git-Repository. Immer wieder machen Webseitenbetreiber denselben Fehler. (Security, API)
---------------------------------------------
https://www.golem.de/news/sicherheitsluecke-fehlerhaft-konfiguriertes-git-v…
*** HP Releases Driver Update to Remove Accidental Keylogger ***
---------------------------------------------
HP has issued an update to remove a keylogging mechanism found in the audio drivers included with some of its high-end laptops. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/hardware/hp-releases-driver-update-to…
*** Phoenix Contact GmbH mGuard ***
---------------------------------------------
This advisory contains mitigation details for resource exhaustion and improper authentication vulnerabilities in Phoenix Contact GmbH's mGuard network device.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-131-01
*** Satel Iberia SenNet Data Logger and Electricity Meters ***
---------------------------------------------
This advisory contains mitigation details for a command injection vulnerability in Satel Iberia's SenNet Data Logger and Electricity Meters.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02
*** HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution ***
---------------------------------------------
HPESBHF03743 rev.1 - A potential security vulnerability has been identified in HPE Intelligent Management Center (iMC) PLAT. The vulnerability could be exploited remotely to allow execution of code.
---------------------------------------------
http://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf0374…
*** DSA-3849 kde4libs - security update ***
---------------------------------------------
Several vulnerabilities were discovered in kde4libs, the core librariesfor all KDE 4 applications. The Common Vulnerabilities and Exposuresproject identifies the following problems:
---------------------------------------------
https://www.debian.org/security/2017/dsa-3849
*** PostgreSQL 2017-05-11 Security Update Release ***
---------------------------------------------
Three security vulnerabilities have been closed by this release: CVE-2017-7484: selectivity estimators bypass SELECT privilege checks, CVE-2017-7485: libpq ignores PGREQUIRESSL environment variable, CVE-2017-7486: pg_user_mappings view discloses foreign server passwords
---------------------------------------------
https://www.postgresql.org/about/news/1746/
*** IBM Security Bulletin: Financial Transaction Manager for Corporate Payment Services potential Cross Site Scripting vulnerabilities (CVE-2017-1160) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22001575
*** IBM Security Bulletin: Vulnerability in the OpenSSL library affects IBM Tealeaf Customer Experience PCA (CVE-2017-3730). ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22000513
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Financial Transaction Manager for Corporate Payment Services ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22001540
*** IBM Security Bulletin: Information disclosure vulnerability affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-9735) ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22003064
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Developer for i, Rational Developer for AIX and Linux, Rational Developer for Power Systems Software ***
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22003204
=======================
= End-of-Shift report =
=======================
Timeframe: Mittwoch 10-05-2017 18:00 − Donnerstag 11-05-2017 18:00
Handler: Olaf Schwarz
Co-Handler: Alexander Riepl
*** Cisco WebEx Meetings Server Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in Cisco WebEx Meetings Server could allow unauthenticated, remote attackers to gain information that could allow them to access scheduled customer meetings.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** Google Wont Patch A Critical Android Flaw Before 'Android O' Release ***
---------------------------------------------
Millions of Android smartphones are at serious risk of "screen hijack" vulnerability that allows hackers to steal your passwords, bank details, as well as helps ransomware apps extort money from victims. The worse thing is that Google says it wont be patched until the release of Android O version ..
---------------------------------------------
http://thehackernews.com/2017/05/android-permissions-vulnerability.html
*** Microsoft Bans SHA-1 Certificates in Edge and Internet Explorer ***
---------------------------------------------
Starting yesterday, via updates delivered in the May 2017 Patch Tuesday, Microsoft browsers such as Edge and Internet Explorer, have begun flagging websites as insecure if they use SSL/TLS certificates signed with the SHA-1 algorithm.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-bans-sha-1-certifi…
*** Most companies falsely believe their Active Directory is secure ***
---------------------------------------------
A majority of companies falsely believe their Active Directory (AD) is secure, according to a new survey conducted jointly by Skyport Systems and Redmond Magazine. The response from more than 300 IT professionals located in North America revealed that AD security is in fact underperforming at those companies participating in the survey, leaving organizations open to attack from outside hackers and insider threats.
---------------------------------------------
https://www.helpnetsecurity.com/2017/05/11/active-directory-insecurity/
*** Bugtraq: ESA-2017-017: RSA Adaptive Authentication (On-Premise) Cross-Site Scripting Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540552
*** HP-Notebooks: Audio-Treiber belauscht Tastatur ***
---------------------------------------------
Bei der Sicherheits-Analyse von HP-Business-Notebooks stießen Sicherheitsforscher auf ein merkwürdiges Keylogging. Dabei schreibt der Audio-Treiber alle Tastatureingaben einschließlich der Passwörter des Anwenders in eine öffentlich lesbare Datei.
---------------------------------------------
https://heise.de/-3710250
*** Chainsaw of Custody: Manipulating forensic evidence the easy way ***
---------------------------------------------
When it comes to computer forensics, or for that matter forensics in general, one of the main challenges is to ensure that evidence that is collected is not tampered with. To achieve this, computer forensic experts adhere to a strict protocol and use many specialized ..
---------------------------------------------
http://blog.sec-consult.com/2017/05/chainsaw-of-custody-manipulating.html
*** DFN-CERT-2017-0825/">NVIDIA GPU-Treiber: Mehrere Schwachstellen ermöglichen u.a. das Eskalieren von Privilegien ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0825/
*** Edge Security Flaw Allows Theft of Facebook and Twitter Credentials ***
---------------------------------------------
Argentinian security researcher Manuel Caballero has discovered another vulnerability in Microsofts Edge browser that can be exploited to bypass a security protection feature and steal data such as passwords from other sites, or cookie files that contain sensitive information.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/edge-security-flaw-allows-th…
*** Analyzing the doublepulsar kernel dll injection technique ***
---------------------------------------------
Like many in the security industry, we have been busy the last few days investigating the implications of the Shadow Brokers leak with regard to attack detection. Whilst there is a lot of interesting content, one particular component that attracted our attention initially was the DOUBLEPULSAR payload. This is because it ..
---------------------------------------------
https://www.countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-…
*** Asus-Router können beim Vorbeisurfen im Netz gekapert werden ***
---------------------------------------------
Eine ganze Reihe Router der RT-Serie von Asus beinhalten eine CSRF-Lücke und weitere Schwachstellen, die es unter Umständen möglich machen, die Einstellungen des Gerätes aus dem Web zu ändern. Updates stehen bereit.
---------------------------------------------
https://heise.de/-3712001
*** OpenVPN 2.4.1: Quarkslab and Cryptography Engineering LCC audit overview ***
---------------------------------------------
OpenVPN 2.4.1 was simultaneously reviewed by Quarkslab (funded by OSTIF) and Cryptography Engineering LCC (funded by Private Internet Access). The reports have been published on OSTIFs and PIAs web pages [..] This page lists the findings in their respective reports and shows how the issues were resolved.
---------------------------------------------
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineer…
=======================
= End-of-Shift report =
=======================
Timeframe: Dienstag 09-05-2017 18:00 − Mittwoch 10-05-2017 18:00
Handler: Olaf Schwarz
Co-Handler: Alexander Riepl
*** EPS Processing Zero-Days Exploited by Multiple Threat Actors ***
---------------------------------------------
In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a zero-day and one was patched weeks before the attack launched. Recently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.
---------------------------------------------
http://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-day…
*** Persirai: Mehr als 100.000 IP-Kameras für neues IoT-Botnetz verwundbar ***
---------------------------------------------
Derzeit entsteht ein neues IoT-Botnetz, das bislang aber noch keine Angriffe durchgeführt hat. Die Malware zur Infektion nutzt eine im März veröffentlichte Sicherheitslücke aus.
---------------------------------------------
https://www.golem.de/news/persirai-mehr-als-100-000-ip-kameras-fuer-neues-i…
*** Git Shell Bypass By Abusing Less (CVE-2017-8386) ***
---------------------------------------------
The git-shell is a restricted shell maintained by the git developers and is meant to be used as the upstream peer in a git remote session over a ssh tunnel. The basic idea behind this shell is to restrict the allowed commands in a ssh session to the ones required by git which are as follows ..
---------------------------------------------
https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-83…
*** [2017-05-10] Insecure Handling Of URI Schemes in Microsoft OneDrive iOS App ***
---------------------------------------------
Due to the lack of URI scheme validation, any external URI scheme can be invoked by the Microsoft OneDrive iOS application with out any user interaction.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** Patchday: Internet Explorer, Office und Windows im Visier von Hackern ***
---------------------------------------------
Nach dem Notfall-Patch für Windows stellt Microsoft zum gewohnten Termin weitere als kritisch eingestufte Sicherheitsupdates bereit. Angreifer nutzen derzeit diverse Lücken aktiv aus.
---------------------------------------------
https://heise.de/-3709022
*** Cisco: Kritische Sicherheitslücke in mehreren Switches behoben ***
---------------------------------------------
Dank CIA-Tools auf Wikileaks ein Leichtes: Über einen Fehler in IOS-Switches konnte Schadcode selbst von Amateuren direkt auf dem Gerät ausgeführt werden. Damit ist jetzt Schluss, denn Cisco hat diesen Fehler offenbar behoben.
---------------------------------------------
https://www.golem.de/news/cisco-kritische-sicherheitsluecke-in-mehreren-swi…
*** Feature, not bug: DNSAdmin to DC compromise in one line ***
---------------------------------------------
In addition to implementing their own DNS server, Microsoft has also implemented their own management protocol for that server, to allow for easy management and integration with Active Directory domains [...] We will shallowly delve into the protocol's implementation and detail a cute feature (certainly not a bug!) which allows us, under some circumstances, to run code as SYSTEM on domain controllers, without being a domain admin.
---------------------------------------------
https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-…
*** Identifying Sources of Leaks with the Gmail "+" Feature ***
---------------------------------------------
For years, Google is offering two nice features with his gmail.com platform to gain more power of your email address. You can play with the "+" (plus) sign or "." (dot) to create more email addresses linked to your primary one. Let's take an example with John who's the owner ..
---------------------------------------------
https://blog.rootshell.be/2017/05/10/identifying-sources-leaks-gmail-featur…
*** IBM Security Bulletin: IBM i is affected by networking BIND vulnerabilities (CVE-2017-3136, CVE-2017-3137 and CVE-2017-3138) ***
http://www.ibm.com/support/docview.wss?uid=nas8N1021999
---------------------------------------------
*** IBM Security Bulletin: Mozilla Firefox vulnerability issues in IBM SONAS ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009964
---------------------------------------------
*** IBM Security Bulletin: Multiple Apache Tomcat vulnerabilities affect IBM SONAS. ***
http://www.ibm.com/support/docview.wss?uid=ssg1S1009960
---------------------------------------------
*** IBM Security Bulletin: IBM WebSphere Cast Iron Solution is affected by Apache Tomcat vulnerabilities ***
http://www-01.ibm.com/support/docview.wss?uid=swg22002522
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Montag 08-05-2017 18:00 − Dienstag 09-05-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** SAP Security Patch Day - May 2017 ***
---------------------------------------------
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that [...]
---------------------------------------------
https://blogs.sap.com/2017/05/09/sap-security-patch-day-may-2017/
*** Project Zero: Microsofts Antivirensoftware gefährdet Windows-Nutzer ***
---------------------------------------------
Googles Project Zero hat eine schwerwiegende Sicherheitslücke in der Anti-Viren-Engine von Microsoft entdeckt. Schuld daran ist die simulierte Ausführung von Javascript-Code ohne Sandbox.
---------------------------------------------
https://www.golem.de/news/project-zero-microsofts-antivirensoftware-gefaehr…
*** Defeating Magento security mechanisms: Attacks used in the real world ***
---------------------------------------------
DefenseCode recently discovered and reported multiple stored cross-site scripting and cross-site request forgery vulnerabilities in Magento 1 and 2 which will be addressed in one of the future patches. In light of these findings, this article describes examples of several attacks used in the real world that combine common vulnerabilities with faulty security mechanisms in Magento, leading to an unfavourable outcome. Examples will be aimed at Magento 2, but most of them can be applied [...]
---------------------------------------------
https://www.helpnetsecurity.com/2017/05/09/defeating-magento-security/
*** Zeit für eine AMTshandlung? ***
---------------------------------------------
Letzte Woche veröffentlichte Intel ein Advisory über eine Schwachstelle in "Intel Active Management Technology", kurz AMT. Besagte Schwachstelle erlaubt einem Angreifer, auf einem Rechner mit aktiviertem AMT, die Zugriffskontrollen für eben jenes auszuhebeln, und so administrativen Zugriff zu erlangen - [...]
---------------------------------------------
http://www.cert.at/services/blog/20170508175554-1982.html
*** [2017-05-09] Multiple vulnerabilities in I, Librarian PDF manager ***
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/2017…
*** Bugtraq: ESA-2017-035: EMC Mainframe Enablers ResourcePak Base privilege management vulnerability ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540531
*** Security Update for Microsoft Malware Protection Engine ***
---------------------------------------------
The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/4022344
*** Security Bulletin posted for Adobe Flash Player and Adobe Experience Manager Forms ***
---------------------------------------------
Adobe has published security bulletins for Adobe Flash Player (APSB17-15) and Adobe Experience Manager Forms (APSB17-16). Adobe recommends users update their product installations to the latest versions using the instructions referenced in the relevant bulletin.
---------------------------------------------
https://blogs.adobe.com/psirt/?p=1465
*** Vuln: Trend Micro Threat Discovery Appliance CVE-2016-8591 Command Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/98343
*** Vuln: Trend Micro Threat Discovery Appliance CVE-2016-8592 Command Injection Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/98345
*** Cisco IOS and IOS XE Software Simple Network Management Protocol Subsystem Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition.The vulnerability is due to a race condition that could occur when the affected software processes an SNMP read request that contains certain criteria for a specific object ID (OID) and an active crypto session is disconnected on an affected device. An attacker who can authenticate [...]
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
*** F5 Security Advisories ***
---------------------------------------------
*** NTP vulnerability CVE-2017-6451 ***
https://support.f5.com/csp/article/K32262483
---------------------------------------------
*** NTP vulnerability CVE-2017-6462 ***
https://support.f5.com/csp/article/K07082049
---------------------------------------------
*** NTP vulnerability CVE-2017-6458 ***
https://support.f5.com/csp/article/K99254031
---------------------------------------------
*** NTP vulnerability CVE-2017-6460 ***
https://support.f5.com/csp/article/K31310492
---------------------------------------------
*** NTP vulnerability CVE-2017-6464 ***
https://support.f5.com/csp/article/K96670746
---------------------------------------------
*** IBM Security Bulletins ***
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities may affect IBM SDK, Java Technology Edition ***
https://www.ibm.com/support/docview.wss?uid=swg22002169
---------------------------------------------
*** IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2017-1095) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001006
---------------------------------------------
*** IBM Security Bulletin: Security vulnerability affects the Lifecycle Query Engine (LQE) that is shipped with Jazz Reporting Service (CVE-2017-1094) ***
http://www-01.ibm.com/support/docview.wss?uid=swg22001002
---------------------------------------------
*** IBM Security Bulletin: There are multiple vulnerabilities in IBM Java Runtime and Apache Tomcat that affect IBM Cognos Business Viewpoint ***
http://www.ibm.com/support/docview.wss?uid=swg22003122
---------------------------------------------
*** IBM Security Bulletin: Secure properties can be shown in plain text in IBM UrbanCode Deploy (CVE-2016-9007) ***
http://www-01.ibm.com/support/docview.wss?uid=swg2C1000236
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Business Developer ***
http://www.ibm.com/support/docview.wss?uid=swg22002667
---------------------------------------------
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Rational Application Developer for WebSphere Software ***
http://www-01.ibm.com/support/docview.wss?uid=swg22003145
---------------------------------------------
*** IBM Security Bulletin: A vulnerability in the SQLite component of the Response Time agent affects IBM Performance Management products (CVE-2016-6153) ***
http://www.ibm.com/support/docview.wss?uid=swg22000836
---------------------------------------------
=======================
= End-of-Shift report =
=======================
Timeframe: Freitag 05-05-2017 18:00 − Montag 08-05-2017 18:00
Handler: Stephan Richter
Co-Handler: n/a
*** Intels ME-Sicherheitslücke: Tipps und Links ***
---------------------------------------------
Praxistipps zu der am 1. Mai von Intel gemeldeten Sicherheitslücke in der Firmware der Management Engine vieler Desktop-PCs, Server und Notebooks.
---------------------------------------------
https://heise.de/-3704563
*** Researchers Disclose Intel AMT Flaw Research ***
---------------------------------------------
Security firm Embedi releases further details on the Intel AMT flaw, revealing how it can be exploited and how potentially dangerous it can be.
---------------------------------------------
http://threatpost.com/researchers-disclose-intel-amt-flaw-research/125503/
*** Dell patches AMT-vulnerable systems ***
---------------------------------------------
BIOS fixes for most boxen landed Friday Dell, which last week was scrambling to work out which of its systems are affected by the Intel AMT vulnerability, has caught up with peers HP Inc, Lenovo and Fujitsu.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2017/05/07/dell_patche…
*** Hacker-Wettbewerb: Cyber Security Challenge startet ***
---------------------------------------------
Zahlreiche Teilnehmer der vergangenen Jahre haben über den Hacker-Wettbewerb Jobs in der Security-Branche gefunden. Heuer wird erstmals auch eine Starter Challenge angeboten.
---------------------------------------------
https://futurezone.at/digital-life/hacker-wettbewerb-cyber-security-challen…
*** Emsisoft Releases a Decryptor for the Amnesia Ransomware ***
---------------------------------------------
On Satruday, Emsisofts CTO and malware researcher Fabian Wosar released a decryptor for the Amnesia Ransomware. This ransomware was first spotted in early May and has had one other variant released. It was named Amnesia based on the extension appended to encrypted files by the first variant. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decrypto…
*** Exploring a P2P Transient Botnet - From Discovery to Enumeration, (Mon, May 8th) ***
---------------------------------------------
[This is a guest diary by Renato Marinho of Morphus Labs. If you are interested in writing a guest diary: please send suggestions to us via our contact page] 1. Introduction We recently deployed a high interaction honeypotsexpecting it to be compromised by a specific malware. But in the first few days, instead of getting infected by the expected malware, it received a variety of attacks ranging from SSH port forwarding to Viagra and Cialis SPAM to XORDDoS failed deployment attempts. By the [...]
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=22392&rss
*** Phishingversuch bei willhaben-Kunden ***
---------------------------------------------
Nutzer/innen von willhaben erhalten eine WhatsApp-Nachricht, die angeblich von der Kleinanzeigenplattform stammt.
---------------------------------------------
https://www.watchlist-internet.at/phishing/phishingversuch-bei-willhaben-ku…
*** In eigener Sache: CERT.at sucht Verstärkung ***
---------------------------------------------
Für unser "Daily Business" suchen wir derzeit 1 Berufsein- oder -umsteiger/in mit ausgeprägtem Interesse an IT-Security, welche/r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich [...]
---------------------------------------------
http://www.cert.at/services/blog/20170508172334-1993.html
*** DFN-CERT-2017-0796: Nextcloud: Mehrere Schwachstellen ermöglichen u.a. das Ausspähen von Informationen ***
---------------------------------------------
https://portal.cert.dfn.de/adv/DFN-CERT-2017-0796/
*** Vuln: Panda Mobile Security for iOS CVE-2017-8060 TLS Certificate Validation Security Bypass Vulnerability ***
---------------------------------------------
http://www.securityfocus.com/bid/98327
*** HPESBGN03740 rev.1 - HPE Network Automation, Multiple Remote Vulnerabilities ***
---------------------------------------------
Potential security vulnerabilities have been identified in HPE Network Automation. The vulnerabilities could be remotely exploited to allow SQL injection, code execution, information disclosure, authentication bypass, elevated privilege execution, and invalid session management.
---------------------------------------------
http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn0374…
*** BlackBerry powered by Android Security Bulletin - May 2017 ***
---------------------------------------------
BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry powered by Android smartphones. We recommend users update to the latest available software build. BlackBerry releases security bulletins to notify users of its Android smartphones about available security fixes; see BlackBerry.com/bbsirt for a complete list of monthly bulletins. This advisory is in response to the Android Security Bulletin (May 2017) and addresses issues in that bulletin that affect [...]
---------------------------------------------
http://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber…
*** Bugtraq: CA20170504-01: Security Notice for CA Client Automation OS Installation Management ***
---------------------------------------------
http://www.securityfocus.com/archive/1/540524
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Explorer for z/OS V3.0.1 (CVE-2016-5548 and CVE-2016-5549) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22002413
*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2016-5597, CVE-2016-5542) ***
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg21994526
*** Siemens Security Advisories ***
---------------------------------------------
*** SSA-701708 (Last Update 2017-05-08): Local Privilege Escalation in Industrial Products ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701708…
---------------------------------------------
*** SSA-156872 (Last Update 2017-05-08): Vulnerability in SIMATIC WinCC and SIMATIC WinCC Runtime Professional ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-156872…
---------------------------------------------
*** SSA-275839 (Last Update 2017-05-08): Denial-of-Service Vulnerability in Industrial Products ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-275839…
---------------------------------------------
*** SSA-293562 (Last Update 2017-05-08): Vulnerabilities in Industrial Products ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-293562…
---------------------------------------------
*** SSA-731239 (Last Update 2017-05-08): Vulnerabilities in SIMATIC S7-300 and S7-400 CPUs ***
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-731239…
---------------------------------------------
*** F5 Security Advisories ***
---------------------------------------------
*** BIG-IP APM redirect vulnerability CVE-2017-0302 ***
https://support.f5.com/csp/article/K87141725
---------------------------------------------
*** Insufficient validation of ICMP error messages CVE-2004-0790 (11.x - 13.x) ***
https://support.f5.com/csp/article/K23440942
---------------------------------------------
*** BIG-IP management vulnerability CVE-2017-9250 ***
https://support.f5.com/csp/article/K55792317
---------------------------------------------
*** iControl REST vulnerability CVE-2016-9251 ***
https://support.f5.com/csp/article/K41107914
---------------------------------------------
*** Linux kernel vulnerability CVE-2017-2647 ***
https://support.f5.com/csp/article/K32115847
---------------------------------------------
*** Websocket profile vulnerability CVE-2016-9253 ***
https://support.f5.com/csp/article/K51351360
---------------------------------------------
*** TMM vulnerability CVE-2017-6137 ***
https://support.f5.com/csp/article/K82851041
---------------------------------------------
*** BIG-IP APM XSS vulnerability CVE-2016-9257 ***
https://support.f5.com/csp/article/K43523962
---------------------------------------------
*** Multiple Oracle MySQL vulnerabilities ***
https://support.f5.com/csp/article/K77508618
---------------------------------------------