[CERT-daily] Tageszusammenfassung - Donnerstag 27-02-2014

Thu Feb 27 18:19:35 CET 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Mittwoch 26-02-2014 18:00 − Donnerstag 27-02-2014 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** Avaya to Patch Zero Days That Turn IP Phone into Radio Transmitters ***
---------------------------------------------
Avaya is expected to patch zero-day vulnerabilities in its latest one-X IP phones. The vulnerabilities and an exploit will be demonstrated this week at RSA Conference 2014.
---------------------------------------------
http://threatpost.com/avaya-to-patch-zero-days-that-turn-ip-phone-in-radio-transmitters/104506


*** Detecting malware on Mac OS X with USM and MIDAS ***
---------------------------------------------
Let's briefly review what we accomplished in the first post: Understood the capabilities and design of MIDAS Deployed MIDAS on a Mac OS X endpoint installed the MIDAS plugin in AlienVault USM Verified the integration by running MIDAS and confirming the events in the SIEM. How does this make us safer? More generally, what does this mean? To answer these questions we need to understand what plists and kexts mean from a security perspective. PlistsProperty list files contain configuration data...
---------------------------------------------
http://www.alienvault.com/open-threat-exchange/blog/detecting-malware-on-mac-os-x-with-usm-and-midas


*** Ongoing NTP Amplification Attacks, (Wed, Feb 26th) ***
---------------------------------------------
Brett, who alerted us earlier this month regarding the mass exploit against Linksys devices has surfaced a current issue hes facing with ongoing NTP amplification attacks. A good US-CERT summary of the attack is here: https://www.us-cert.gov/ncas/alerts/TA14-013A. Brett indicates that:  "We are seeing massive attacks on our NTP servers, attempting to exploit the traffic amplification vulnerability reported last month. Our IPs are being probed by an address in the Netherlands, and a couple...
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17723&rss


*** Yes, You Too Can Be An Evil Network Overlord - On The Cheap With OpenBSD, pflow And nfsen ***
---------------------------------------------
Have you ever wanted to know whats really going on in your network? Some free tools with surprising origins can help you to an almost frightening degree.One question I get a lot (or variants that end up being very close) is, "How do you keep up with whats happening in your network?". A close cousin is "how much do you actually know about your users?".The exact answer to both can have legal implications, so before I proceed to the tech content, Ill ask you to make sure you...
---------------------------------------------
http://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html


*** Weekly Metasploit Update: Encoding-Fu, New Powershell Payload, Bug Fixes ***
---------------------------------------------
In this week's Metasploit weekly update, we begin with OJ TheColonial Reeves' new optimized sub encoding module (opt_sub.rb). As the name implies, this encoder takes advantage of the SUB assembly instruction to encode a payload with printable characters that are file path friendly. Encoders like this are incredibly useful for developing a memory corruption exploit...
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/02/26/weekly-metasploit-update-encoding-fu-new-powershell-payload-bug-fixes


*** Security: Cisco öffnet Snort-Schnittstelle ***
---------------------------------------------
Wenige Wochen nach der Übernahme des Snort-Entwicklers Sourcefire hat Cisco die Schnittstelle zu dem Intrusion Detection System unter dem Namen OpenAppID öffentlich gemacht. Zudem wurde der Malware-Schutz des aufgekauften Unternehmens in Ciscos Sicherheitsportfolio integriert.
---------------------------------------------
http://www.golem.de/news/security-cisco-oeffnet-snort-schnittstelle-1402-104831-rss.html


*** Mac OS X 10.6 Snow Leopard: Apple aktualisiert nicht mehr ***
---------------------------------------------
Die letzten zwei größeren Sicherheitsupdates von Apple standen nur noch für Mavericks, Mountain Lion und Lion bereit. Dabei ist OS X 10.6 noch relativ weit verbreitet.
---------------------------------------------
http://www.heise.de/security/meldung/Mac-OS-X-10-6-Snow-Leopard-Apple-aktualisiert-nicht-mehr-2125972.html


*** Was the iOS SSL Flaw Deliberate? ***
---------------------------------------------
Last October, I speculated on the best ways to go about designing and implementing a software backdoor. I suggested three characteristics of a good backdoor: low chance of discovery, high deniability if discovered, and minimal conspiracy to implement. The critical iOS vulnerability that Apple patched last week is an excellent example. Look at the code. What caused the vulnerability is...
---------------------------------------------
https://www.schneier.com/blog/archives/2014/02/was_the_ios_ssl.html


*** Android & iOS: Gratis-Werkzeuge zur Malware-Analyse ***
---------------------------------------------
Die Linux-Distribution Santoku bringt alle Werkzeuge mit, um Malware und andere Apps für iOS und Android professionell unter die Lupe zu nehmen. Eine Kombination aus einer App und einem Webdienst analysiert unter anderem Datenströme von Apps.
---------------------------------------------
http://www.heise.de/security/meldung/Android-iOS-Gratis-Werkzeuge-zur-Malware-Analyse-2126603.html


*** Atlassian - Security Bypass Vulnerabilities in various Products ***
---------------------------------------------
Security Bypass Vulnerabilities in Atlassian Bamboo, Confluence, FishEye, JIRA, Crucible and Stash
---------------------------------------------
https://secunia.com/advisories/57086
https://secunia.com/advisories/57088
https://secunia.com/advisories/57095
https://secunia.com/advisories/57105
https://secunia.com/advisories/56842
https://secunia.com/advisories/56936


*** [2014-02-27] Local Buffer Overflow vulnerability in SAS for Windows ***
---------------------------------------------
Attackers are able to completely compromise SAS clients when a malicious SAS program gets executed as the software "SAS for Windows" is affected by a local buffer overflow vulnerability.
---------------------------------------------
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140227-0_SAS_Buffer_overflow_v10.txt


*** Drupal - Vulnerabilities in third-party Modules and Themes ***
---------------------------------------------
Vulnerabilities in Open Omega (third-party theme), Content locking (anti-concurrent editing) (third-party module), Project Issue File Review (third-party module) and Mime Mail (third-party module)
---------------------------------------------
https://drupal.org/node/2205877
https://drupal.org/node/2205807
https://drupal.org/node/2205767
https://drupal.org/node/2205991


*** Schneider Electric CitectSCADA Products Exception Handler Vulnerability (Update A) ***
---------------------------------------------
This updated advisory is a follow-up to the original advisory titled ICSA-13-350-01 Schneider Electric SCADA Products Exception Handler Vulnerability that was published February 25, 2014, on the NCCIC/ICS-CERT web site. This advisory was originally posted to the US-CERT secure Portal library on December 16, 2013. Schneider Electric requested the title change to reduce confusion.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-13-350-01A