[CERT-daily] Tageszusammenfassung - Donnerstag 19-12-2013

Thu Dec 19 18:09:45 CET 2013

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 18-12-2013 18:00 − Donnerstag 19-12-2013 18:00
Handler:     Stephan Richter
Co-Handler:  Robert Waldner

*** IBM HTTP Server GSKit SSLv2 Session Resuming Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in IBM HTTP Server, which can be exploited by malicious people to cause a DoS (Denial of Service).
---------------------------------------------
https://secunia.com/advisories/56058


*** Tor use best practices ***
---------------------------------------------
To date the NSA's and FBI's primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user's computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised.
---------------------------------------------
http://digital-era.net/tor-use-best-practices/


*** New DDoS Bot Has a Fancy For Ferrets ***
---------------------------------------------
Researchers at Arbor Networks have discovered a new denial of service botnet called Trojan.Ferret.
---------------------------------------------
http://threatpost.com/new-ddos-bot-has-a-fancy-for-ferrets/103226


*** WordPress S3 Video Plugin "base" Cross-Site Scripting Vulnerability ***
---------------------------------------------
Input passed to the "base" GET parameter in wp-content/plugins/s3-video/views/video-management/preview_video.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is confirmed in version 0.96 and reported in versions prior to 0.983.
---------------------------------------------
https://secunia.com/advisories/56167


*** IrfanView GIF buffer overflow ***
---------------------------------------------
IrfanView is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when processing the LZW code stream within GIF files. By persuading a victim to open a specially-crafted GIF file containing an overly long LZW code stream, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/89820


*** NovaTech Orion DNP3 Improper Input Validation Vulnerability ***
---------------------------------------------
Adam Crain of Automatak and independent researcher Chris Sistrunk have identified an improper input validation vulnerability in the NovaTech Orion Substation Automation Platform. NovaTech has produced a firmware update that mitigates this vulnerability. The researchers have tested the firmware update to validate that it resolves the vulnerability.This vulnerability could be exploited remotely.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-352-01


*** IBM iNotes email message active content cross-site scripting ***
---------------------------------------------
IBM iNotes is vulnerable to cross-site scripting, caused by improper validation of active content within an email message. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or other sensitive information.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/86594


*** IBM iNotes ultra-light mode persistent cross-site scripting ***
---------------------------------------------
IBM iNotes is vulnerable to cross-site scripting in the ultra-light mode, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject and execute malicious script in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials or other sensitive information.
---------------------------------------------
http://xforce.iss.net/xforce/xfdb/86595


*** SSA-742938 (Last Update 2013-12-17): Open Ports in SINAMICS S/G Firmware ***
---------------------------------------------
SSA-742938 (Last Update 2013-12-17): Open Ports in SINAMICS S/G Firmware
---------------------------------------------
https://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-742938.pdf


*** SA-CONTRIB-2013-098 - Ubercart - Session Fixation Vulnerability ***
---------------------------------------------
Advisory ID: DRUPAL-SA-CONTRIB-2013-098Project: Ubercart (third-party module)Version: 6.x, 7.xDate: 2013-12-18Security risk: Less criticalExploitable from: RemoteVulnerability: Session FixationDescriptionThe Ubercart module for Drupal provides a shopping cart and e-commerce features for Drupal.The module doesnt sufficiently protect against session fixation attacks when a user is automatically logged in to a newly created account during checkout.This vulnerability is mitigated by the fact that
---------------------------------------------
https://drupal.org/node/2158651


*** Researchers propose international vulnerability purchase plan ***
---------------------------------------------
In a bid to cut down on costs and eliminate potential misuse, NSS Labs has put forth an initiative imploring vendors to purchase vulnerabilities.
---------------------------------------------
http://feedproxy.google.com/~r/SCMagazineHome/~3/I9nD_zWQzsI/


*** cURL Certificate Validation Flaw Lets Remote Users Spoof SSL Servers ***
---------------------------------------------
A vulnerability was reported in cURL. A remote user that can conduct a man-in-the-middle attack can spoof SSL servers.
The software does not properly verify the certificate CN or SAN name field in certain cases. A remote user that can conduct a man-in-the-middle attack can spoof SSL servers.
Systems that use GnuTLS as the TLS backend are affected.
Systems with digital signature verification (CURLOPT_SSL_VERIFYPEER) disabled are affected.
---------------------------------------------
http://www.securitytracker.com/id/1029517


*** OpenJPEG Heap Overflows Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
Several vulnerabilities were reported in OpenJPEG. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions.
A remote user can create a specially crafted image file that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target system [CVE-2013-6045, CVE-2013-6054]. The code will run with the privileges of the target user.
A remote user can create a specially crafted image file that, when loaded by the target user, will cause the application that uses openJPEG to crash [CVE-2013-1447, CVE-2013-6052].
---------------------------------------------
http://www.securitytracker.com/id/1029514


*** Splunk Enterprise Data Processing Flaw Lets Remote Users Deny Service ***
---------------------------------------------
A vulnerability was reported in Splunk Enterprise. A remote user can cause denial of service conditions.
A remote user can send specially crafted data to cause the target server to become unavailable.
Systems configured as data 'receivers' on the listening or receiving port(s) are affected, including instances configured as indexers and forwarders configured as intermediate forwarders.
---------------------------------------------
http://www.securitytracker.com/id/1029519


*** Blog: Malware in metadata ***
---------------------------------------------
One of the systems I have been running collects all our web malware detections for .ES domains. I usually check it out every morning, just in case I see something especially interesting or relevant. And when I find something, I like to create some statistics to have a global overview.There are some things that I find every time I check my stats, like URLs that have been infected for more than 200 days, even being notified. That speaks of the lack of security awareness on some companies, and how
---------------------------------------------
http://www.securelist.com/en/blog/208214192/Malware_in_metadata


*** Factsheet Stop using Windows XP ***
---------------------------------------------
Microsoft will stop issuing Windows XP updates as of 8 April 2014. The operating system will receive the end-of-life status. The NCSC advises, together with DefCERT, Microsoft and Team High Tech Crime, to no longer use Windows XP, but to switch to another operating system.
---------------------------------------------
http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/factsheets/factsheet-stop-using-windows-xp.html


*** Cisco Unified Communications Manager Sensitive Information Disclosure Vulnerability ***
---------------------------------------------
A vulnerability in the disaster recovery system (DRS) of Cisco Unified Communications Manager (UCM) could allow an authenticated, remote attacker to acquire sensitive information about DRS-related devices.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-6978


*** [Announce] [security fix] GnuPG 1.4.16 released ***
---------------------------------------------
Along with the publication of an interesting new side channel attack by Daniel Genkin, Adi Shamir, and Eran Tromer we announce the availability of a new stable GnuPG release to relieve this bug: Version 1.4.16. [...] Whats New =========== * Fixed the RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack as described by Genkin, Shamir, and Tromer. See . [CVE-2013-4576]
---------------------------------------------
http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html


*** Acoustic Cryptanalysis ***
---------------------------------------------
This is neat: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPGs current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be...
---------------------------------------------
https://www.schneier.com/blog/archives/2013/12/acoustic_crypta.html


*** Apache XML Security Transforms Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Apache XML Security, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library.
The vulnerability is caused due to an error when applying Transforms and can be exploited to exhaust memory resources and cause a crash.
The vulnerability is reported in versions prior to 1.5.6.
---------------------------------------------
https://secunia.com/advisories/55639


*** TRENDnet Multiple Products Telnet Security Bypass Vulnerability ***
---------------------------------------------
A vulnerability has been reported in multiple TRENDnet products, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to a certain undocumented functionality, which can be exploited to enable telnet management and subsequently manipulate device configuration.
---------------------------------------------
https://secunia.com/advisories/55890


*** Icinga Off-By-One and Buffer Overflow Vulnerabilities ***
---------------------------------------------
Some vulnerabilities have been reported in Icinga, which can be exploited by malicious users to potentially cause a DoS (Denial of Service) and compromise a vulnerable system.
1) Some boundary errors within the web interface when processing CGI parameters can be exploited to cause stack-based buffer overflows.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
2) An off-by-one error within the "process_cgivars()" function can be exploited to cause an out of bounds read memory access.
The vulnerabilities are reported in versions prior to 1.10.2, 1.9.4, and 1.8.5.
---------------------------------------------
https://secunia.com/advisories/55987


*** Icinga Cross-Site Request Forgery Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Icinga, which can be exploited by malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions if a logged-in administrator visits a malicious web site.
The vulnerability is reported in version 1.10.2. Other versions may also be affected.
---------------------------------------------
https://secunia.com/advisories/55990


*** A peek inside the booming underground market for stealth Bitcoin/Litecoin mining tools ***
---------------------------------------------
The over-hyped market valuation of the buzzing P2P E-currency, Bitcoin, quickly gained the attention of cybercriminals internationally who promptly adapted to its sky rocketing valuation by releasing commercially available stealth Bitcoin miners, Bitcoin wallet stealing malware, as well as actually starting to offer the source code for their releases in an attempt to monetize their know-how and expertise in this area. Throughout 2013, we profiled several subscription based stealth Bitcoin
---------------------------------------------
http://feedproxy.google.com/~r/WebrootThreatBlog/~3/nKXPdGwlKk4/


*** IBM Domino / iNotes Script Insertion and Cross-Site Scripting Vulnerabilities ***
---------------------------------------------
Multiple vulnerabilities have been reported in IBM Domino and IBM iNotes, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.
---------------------------------------------
https://secunia.com/advisories/56164