[CERT-daily] Tageszusammenfassung - Montag 15-12-2014

Mon Dec 15 18:16:23 CET 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 12-12-2014 18:00 − Montag 15-12-2014 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** ICS-CERT: BlackEnergy may be infecting WinCC systems lacking recent patch ***
---------------------------------------------
BlackEnergy malware may be exploiting a vulnerability in Siemens SIMATIC WinCC software that was patched in early November.
---------------------------------------------
http://www.scmagazine.com/ics-cert-urges-wincc-users-others-to-update-software/article/388176/


*** BGP Hijacking Continues, Despite the Ability To Prevent It ***
---------------------------------------------
An anonymous reader writes: BGPMon reports on a recent route hijacking event by Syria. These events continue, despite the ability to detect and prevent improper route origination: Resource Public Key Infrastructure. RPKI is technology that allows an operator to validate the proper relationship between an IP prefix and an Autonomous System. That is, assuming you can collect the certificates. ARIN requires operators accept something called the Relying Party Agreement. But the provider community...
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/hl_eP152_h0/story01.htm


*** Batten down the patches: New vuln found in Docker container tech ***
---------------------------------------------
Last months patch brought new privilege escalation flaw More security woes plagued users of the Docker application containerization tech for Linux this week, after an earlier security patch was found to have introduced a brand-new critical vulnerability in the software.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/12/12/docker_vulnerability/


*** Cisco to release flying pig - Snort 3.0 ***
---------------------------------------------
Sourcefires been making bacon, now wants you to fry it Ciscos going to release a flying pig.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/12/12/cisco_to_release_flying_pig/


*** Worm Backdoors and Secures QNAP Network Storage Devices, (Sun, Dec 14th) ***
---------------------------------------------
Shellshock is far from over, with many devices still not patched andout there ready for exploitation. One set of thedevices receiving a lot of attention recently are QNAP disk storage systems. QNAP released a patch in early October, but applying the patch is not automatic and far from trivial for many users[1]. Our reader Erichsubmitted a link to an interesting Pastebin post with code commonly used in these scans [2] The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19061&rss


*** SoakSoak Malware Compromises 100,000+ WordPress Websites ***
---------------------------------------------
This Sunday has started with a bang. Google has blacklisted over 11,000 domains with this latest malware campaign from SoakSoak.ru: Our analysis is showing impacts in the order of 100s of thousands of WordPress specific websites. We cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability we reported a...
---------------------------------------------
http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html


*** Man in the Middle attack vs. Cloudflares Universal SSL ***
---------------------------------------------
MitM attacks are a class of security attacks that involve the compromise of the authentication of a secure connection. In essence, an attacker builds a transparent tunnel between the client and the server, but makes sure that the client negotiates the secure connection with the attacker, instead of the intended server. Thus the client instead of having a secure connection to the server, has a secure connection to the attacker, which in turn has set up its own secure connection to the server, so...
---------------------------------------------
http://blog.ricardomacas.com/index.php?controller=post&action=view&id_post=4


*** 10th Annual ICS Security Summit - Orlando ***
---------------------------------------------
For SCADA, Industrial Automation, and Control System Security Join us for the 10th anniversary of the Annual SANS ICS Security Summit. The Summit is the premier event to attend in 2015 for ICS cybersecurity practitioners and managers. This years summit will feature hands-on training courses focused on Attacking and Defending ICS environments, Industry specific pre-summit events, and an action packed summit agenda with the release of ICS security tools and the popular security kit for Summit
---------------------------------------------
https://www.sans.org/event/ics-security-summit-2015


*** Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3009712) ***
---------------------------------------------
V3.0 (December 12, 2014): Rereleased bulletin to announce the reoffering of Microsoft security update 2986475 for Microsoft Exchange Server 2010 Service Pack 3. The rereleased update addresses a known issue in the original offering. Customers who uninstalled the original update should install the updated version of 2986475 at the earliest opportunity.
---------------------------------------------
https://technet.microsoft.com/en-us/library/security/MS14-075


*** Two newcomers in the exploit kit market ***
---------------------------------------------
Exploit kits are a great means to an end for malware distributors, who either buy them or rent them in order to widely disseminate their malicious wares. Its no wonder then that unscrupulous developers are always trying to enter the market currently cornered by Angler, Nuclear, FlashEK, Fiesta, SweetOrange, and others popular exploit kits.
---------------------------------------------
http://www.net-security.org/malware_news.php?id=2929


*** RSA Authentication Manager 8.0 / 8.1 Unvalidated Redirect ***
---------------------------------------------
Topic: RSA Authentication Manager 8.0 / 8.1 Unvalidated Redirect Risk: Low Text:ESA-2014-173: RSA Authentication Manager Unvalidated Redirect Vulnerability EMC Identifier: ESA-2014-173 CVE Identifier:...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120080


*** RSA Archer GRC Platform 5.x Cross Site Scripting ***
---------------------------------------------
Topic: RSA Archer GRC Platform 5.x Cross Site Scripting Risk: Low Text:ESA-2014-163: RSA Archer GRC Platform Multiple Vulnerabilities EMC Identifier: ESA-2014-163 CVE Identifier: See b...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120079


*** EMC Isilon InsightIQ Cross Site Scripting ***
---------------------------------------------
Topic: EMC Isilon InsightIQ Cross Site Scripting Risk: Low Text:ESA-2014-164: EMC Isilon InsightIQ Cross-Site Scripting Vulnerability EMC Identifier: ESA-2014-164 CVE Identifier: CVE-...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120078


*** Cisco Prime Security Manager Cross-Site Scripting Vulnerability ***
---------------------------------------------
CVE-2014-3364
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2014-3364


*** Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass ***
---------------------------------------------
Topic: Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Risk: Medium Text:Soitec SmartEnergy 1.4 SCADA Login SQL Injection Authentication Bypass Exploit Vendor: Soitec Product web page: http://ww...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014120086


*** Multiple vulnerabilities in InfiniteWP Admin Panel ***
---------------------------------------------
InfiniteWP (http://www.infinitewp.com/) allows an administrator to manage multiple Wordpress sites from one control panel. According to the InfiniteWP homepage, it is used on over 317,000 Wordpress sites. The InfiniteWP Admin Panel contains a number of vulnerabilities that can be exploited by an unauthenticated remote attacker. These vulnerabilities allow taking over managed Wordpress sites by leaking secret InfiniteWP client keys, allow SQL injection, allow cracking of InfiniteWP admin
---------------------------------------------
http://seclists.org/fulldisclosure/2014/Dec/43


*** Bugtraq: Vulnerabilities in Ekahau Real-Time Location Tracking System [MZ-14-01] ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534241


*** [dos] - phpMyAdmin 4.0.x, 4.1.x, 4.2.x - DoS ***
---------------------------------------------
http://www.exploit-db.com/exploits/35539


*** Multiple vulnerabilities in BibTex Publications (si_bibtex) ***
---------------------------------------------
It has been discovered that the extension "BibTex Publications" (si_bibtex) is susceptible to Cross-Site Scripting and SQL Injection.
---------------------------------------------
http://www.typo3.org/news/article/multiple-vulnerabilities-in-bibtex-publications-si-bibtex/


*** Multiple vulnerabilities in Drag Drop Mass Upload (ameos_dragndropupload) ***
---------------------------------------------
It has been discovered that the extension "Drag Drop Mass Upload" (ameos_dragndropupload) is susceptible to Cross-Site Scripting, Cross-Site Request Forgery and Improper Access Control.
---------------------------------------------
http://www.typo3.org/news/article/improper-access-control-in-drag-drop-mass-upload-ameos-dragndropupload/


*** Security Advisory-SSLv3 POODLE Vulnerability in Huawei Products ***
---------------------------------------------
Dec 15, 2014 18:30
---------------------------------------------
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-405500.htm


*** SEO Redirection <= 2.2 - Unauthenticated Stored XSS ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7722


*** Lightbox Photo Gallery 1.0 - CSRF/XSS ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7719


*** WP-FB-AutoConnect <= 4.0.5 - XSS/CSRF ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7721


*** Timed Popup <= 1.3 - CSRF & Stored XSS ***
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7720


*** Bugtraq: CVE-2014-2026 Reflected Cross-Site Scripting (XSS) in "Intrexx Professional" ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534230


*** Bugtraq: CVE-2014-2025 Remote Code Execution (RCE) in "Intrexx Professional" ***
---------------------------------------------
http://www.securityfocus.com/archive/1/534229