[CERT-daily] Tageszusammenfassung - Mittwoch 4-09-2013

Wed Sep 4 18:20:52 CEST 2013

=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 03-09-2013 18:00 − Mittwoch 04-09-2013 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Hintergrund: Browser-SSL entschlüsselt ***
---------------------------------------------
Mit einem kleinen Trick speichern Firefox und Chrome die verwendeten Schlüssel so, dass Wireshark die damit verschlüsselten Daten gleich dekodieren kann.
---------------------------------------------
http://www.heise.de/security/artikel/Browser-SSL-entschluesselt-1948431.html


*** Software Developer Says Mega Master Keys Are Retrievable ***
---------------------------------------------
hypnosec writes that software developer Michael Koziarski has released a bookmarklet "which he claims has the ability to reveal Mega users master key. Koziarski went on to claim that Mega has the ability to grab its users keys and use them to access their files. Dubbed MegaPWN, the tool not only reveals a users master key, but also gives away a users RSA private key exponent. MEGApwn is a bookmarklet that runs in your web browser and displays your supposedly secret MEGA master key, showing
---------------------------------------------
http://yro.slashdot.org/story/13/09/03/1720223/software-developer-says-mega-master-keys-are-retrievable


*** Cidox Trojan Spoofs HTTP Host Header to Avoid Detection ***
---------------------------------------------
Lately, we have seen a good number of samples generating some interesting network traffic through our automated framework. The HTTP network pattern generated contains a few interesting parameters, names like "&av" (for antivirus?) and "&vm="(VMware?), The response received looked to be encrypted, which drew my attention. Also, all the network traffic contained the same host Read more...
---------------------------------------------
http://blogs.mcafee.com/mcafee-labs/cidox-trojan-spoofs-http-host-header-to-avoid-detection


*** Styx-like Cool Exploit Kit: How It Works ***
---------------------------------------------
While the Blackhole Exploit Kit is the most well-known of the exploit kits that affect users, other exploit kits are also well known in the Russian underground. In this post, we will look at how these other kits work, and its differences from other exploit kits. One well-known Blackhole alternative is the Styx Exploit Kit.
---------------------------------------------
http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/


*** Researchers: Oracle's Java Security Fails ***
---------------------------------------------
Faced with an onslaught of malware attacks that leverage vulnerabilities and design weaknesses in Java, Oracle Corp. recently tweaked things so that Java now warns users about the security risks of running Java content. But new research shows that the integrity and accuracy of these warning messages can be subverted easily in any number of ways, and that Oracles new security scheme actually punishes Java application developers who adhere to it.
---------------------------------------------
http://krebsonsecurity.com/2013/09/researchers-oracles-java-security-fails/


*** The Red Book - The SysSec Roadmap for Systems Security Research ***
---------------------------------------------
The SysSec Red Book is a Roadmap in the area of Systems Security, as prepared by the SysSec consortium and its constituency. For preparing this roadmap a Task Force of young researchers with proven track of record in the area was assembled and collaborated with the senior researchers of SysSec. Additionally, the SysSec Community has been consulted to provide input on the contents of the roadmap.
---------------------------------------------
http://www.red-book.eu/


*** [Video] ThreatVlog, Episode 3: NYT, Twitter, and HuffPost hacked by Syrian Electronic Army ***
---------------------------------------------
In this episode of ThreatVlog, Grayson Milbourne covers the information behind the Syrian Electronic Army's hacking of New York Times, Twitter, and Huffington Post. Grayson includes a breakdown of the hack as well as information on how to keep your own websites protected form this malicious behavior.The post [Video] ThreatVlog, Episode 3: NYT, Twitter, and HuffPost hacked by Syrian Electronic Army appeared first on Webroot Threat Blog.
---------------------------------------------
http://www.webroot.com/blog/2013/09/04/video-threatvlog-episode-3-nyt-twitter-huffpost-hacked-syrian-electronic-army/


*** Bugtraq: SEC Consult SA-20130904-0 :: GroupLink everything HelpDesk - undocumented password reset/admin takeover and XSS vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/archive/1/528420


*** Samsung Galaxy S4 Polaris Viewer DOCX Buffer Overflow Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54701


*** MediaWiki Security Release ***
---------------------------------------------
I would like to announce the release of MediaWiki 1.21.2, 1.20.7 and 1.19.8. These releases fix 3 security related bugs that could affect users of MediaWiki.
---------------------------------------------
http://lists.wikimedia.org/pipermail/mediawiki-announce/2013-September/000133.html


*** OpenVZ update for kernel ***
---------------------------------------------
https://secunia.com/advisories/54311


*** Linux Kernel PID Spoofing Privilege Escalation Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54675


*** Sixnet Universal Protocol Undocumented Function Codes (Update A) ***
---------------------------------------------
OVERVIEW: This updated advisory is a follow-up to the original advisory titled ICSA-13-231-01 Sixnet Universal Protocol Undocumented Function Codes that was published August 19, 2013, on the ICS-CERT Web page.Independent researcher Mehdi Sabraoui has identified undocumented function codes in Sixnet's universal protocol. Sixnet has produced a new version of the remote terminal unit (RTU) firmware that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-231-01A


*** Tridium Niagara Vulnerabilities (Update A) ***
---------------------------------------------
OVERVIEW--------- Begin Update A Part 1 of 2 --------This updated advisory is a follow-up to the original advisory titled ICSA-12-228-01 Tridium Niagara Multiple Vulnerabilities that was published August 15, 2012, on the ICS-CERT Web page. It is also a follow-up to ICS-ALERT-12-195-01 Tridium Niagara Directory Traversal and Weak Credential Storage Vulnerability that was published July 13, 2012, on the ICS-CERT Web page.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-12-228-01A


*** Cisco Mobility Services Engine Configuration Error Lets Remote Users Login Anonymously ***
---------------------------------------------
http://www.securitytracker.com/id/1028972


*** Cisco Secure Access Control System (ACS) TACACS+ Socket Denial of Service Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54687


*** SAP NetWeaver "ABAD0_DELETE_DERIVATION_TABLE" SQL Injection Vulnerability ***
---------------------------------------------
https://secunia.com/advisories/54702


*** Vuln: Supermicro IPMI Web Interface Multiple Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/62094
http://www.securityfocus.com/bid/62097
http://www.securityfocus.com/bid/62098


*** Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-0585, CVE-2013-3034, CVE-2013-3040 and CVE-2013-0599) ***
---------------------------------------------
Security Bulletin: Multiple security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-0585, CVE-2013-3034, CVE-2013-3040 and CVE-2013-0599)  CVE(s): CVE-2013-0585, CVE-2013-3034, CVE-2013-3040, and CVE-2013-0599  Affected product(s) and affected version(s): IBM InfoSphere Information Server version 9.1 running on all platforms   Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin:
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_multiple_security_vulnerabilities_exist_in_ibm_infosphere_information_server_cve_2013_0585_cve_2013_3034_cve_2013_3040_and_cve_2013_0599?lang=en_us