[CERT-daily] Tageszusammenfassung - Freitag 14-03-2014

Fri Mar 14 18:06:35 CET 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 13-03-2014 18:00 − Freitag 14-03-2014 18:00
Handler:     Robert Waldner
Co-Handler:  Alexander Riepl

*** Bugtraq: [ MDVSA-2014:057 ] mediawiki ***
---------------------------------------------
Updated mediawiki packages fix multiple vulnerabilities:
---------------------------------------------
http://www.securityfocus.com/archive/1/531452


*** Vuln: Mutt Mailreader mutt_copy_hdr() Function Heap Based Buffer Overflow Vulnerability ***
---------------------------------------------
Mutt mailreader is prone to a heap-based buffer-overflow vulnerability.
Successful exploitation of this issue allow an attacker to execute arbitrary code in the context of the application, failed attempts lead to denial-of-service.
Mutt prior to 1.5.23 are vulnerable. 
---------------------------------------------
http://www.securityfocus.com/bid/66165


*** Schneider Electric StruxureWare SCADA Expert ClearSCADA Parsing Vulnerability ***
---------------------------------------------
OVERVIEW
Andrew Brooks identified and reported to The Zero Day Initiative (ZDI) a File Parsing Vulnerability: Schneider Electric StruxureWare SCADA Expert ClearSCADA ServerMain.exe OPF File Parsing Vulnerability. Schneider Electric has prepared workarounds and helped develop security upgrades for a third‑party component that is affected.AFFECTED PRODUCTSThe following SCADA Expert ClearSCADA versions are affected:
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-072-01


*** VU#807134: WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability ***
---------------------------------------------
Vulnerability Note VU#807134 WatchGuard Fireware XTM devices contain a cross-site scripting vulnerability
...
Overview WatchGuard Fireware XTM 11.8.1, and possibly earlier versions, contains a cross-site scripting vulnerability.
---------------------------------------------
http://www.kb.cert.org/vuls/id/807134


*** Squid Flaw in SSL-Bump Lets Remote Users Deny Service ***
---------------------------------------------
A remote user can send HTTPS requests to trigger a flaw in SSL-Bump and cause the target service to crash.
Specially crafted requests are not required to trigger this vulnerability.
---------------------------------------------
http://www.securitytracker.com/id/1029908


*** Wireshark NFS/M3UA/RLC Dissector Bugs Let Remote Users Deny Service and MPEG Buffer Overflow Lets Remote Users Execute Arbitrary Code ***
---------------------------------------------
Several vulnerabilities were reported in Wireshark. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can cause denial of service conditions.
---------------------------------------------
http://www.securitytracker.com/id/1029907


*** Blogs of War: Don’t Be Cannon Fodder ***
---------------------------------------------
On Wednesday, KrebsOnSecurity was hit with a fairly large attack which leveraged a feature in more than 42,000 blogs running the popular WordPress content management system (this blog runs on WordPress). This post is an effort to spread the word to other WordPress users to ensure their blogs arent used in attacks going forward.
---------------------------------------------
http://feedproxy.google.com/~r/KrebsOnSecurity/~3/TMHH3NsEOxo/


*** Cisco Cloud Portal Discloses Cryptographic Material That Lets Remote Users Decrypt Data ***
---------------------------------------------
A vulnerability was reported in Cisco Cloud Portal. A local user can obtain cryptographic material. A remote user with access to the cryptographic material can then decrypt data.
The Cisco Intelligent Automation for Cloud (Cisco IAC) binaries include fixed cryptographic material. A remote user that can access encrypted data from the target Cisco IAC installation can decrypt the data.
---------------------------------------------
http://www.securitytracker.com/id/1029915


*** Google Docs Users Targeted by Sophisticated Phishing Scam ***
---------------------------------------------
We see millions of phishing messages every day, but recently, one stood out: a sophisticated scam targeting Google Docs and Google Drive users.The scam uses a simple subject of "Documents" and urges the recipient to view an important document on Google Docs by clicking on the included link.read more
---------------------------------------------
http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophisticated-phishing-scam


*** McAfee Email Gateway Input Validation Flaws Let Remote Authenticated Users Inject SQL and Operating System Commands ***
---------------------------------------------
Several vulnerabilities were reported in McAfee Email Gateway. A remote authenticated user can execute arbitrary operating system commands on the target system. A remote authenticated user can inject SQL commands.
---------------------------------------------
http://www.securitytracker.com/id/1029916


*** Firefox Exec Shellcode From Privileged Javascript Shell ***
---------------------------------------------
Topic: Firefox Exec Shellcode From Privileged Javascript Shell
Risk: Medium
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030113


*** A decade of securing Europe’s cyber future. The EU’s cyber security Agency ENISA is turning ten, and is looking at future challenges. ***
---------------------------------------------
In the “eternal marathon” against cyber criminals, there is a “constant, increasing need for ENISA”.
---------------------------------------------
http://www.enisa.europa.eu/media/press-releases/a-decade-of-securing-europe2019s-cyber-future-the-eu2019s-cyber-security-agency-enisa-is-turning-ten-and-is-looking-at-future-challenges


*** lighttpd Directory Traversal and SQL Injection Vulnerabilities ***
---------------------------------------------
Two vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to disclose potentially sensitive information and conduct SQL injection attacks.
...

Successful exploitation requires mod_evhost and/or mod_simple_vhost modules to be enabled.
---------------------------------------------
https://secunia.com/advisories/57333


*** Samsung Backdoor May Not Be as Wide Open as Initially Thought ***
---------------------------------------------
... As demonstrated in a proof-of-concept attack, this allowed certain baseband code to gain access to a device’s storage under a specific set of circumstances. But upon closer inspection, this backdoor is most likely not as bad as it was initially made out to be.
---------------------------------------------
http://www.xda-developers.com/android/samsung-backdoor-may-not-be-as-wide-open-as-initially-thought/


*** EU-Parlament stimmt für Meldepflicht von Cyberangriffen ***
---------------------------------------------
Die Abgeordneten haben mit großer Mehrheit, aber einigen Änderungen einen Richtlinienentwurf der EU-Kommission zur Netz- und Informationssicherheit beschlossen. Mitgliedsländer sollen ihre Kooperationen stärken.
---------------------------------------------
http://www.heise.de/newsticker/meldung/EU-Parlament-stimmt-fuer-Meldepflicht-von-Cyberangriffen-2145107.html/from/rss09?wt_mc=rss.ho.beitrag.rdf


*** Gameover ZeuS Jumps on the Bitcoin Bandwagon ***
---------------------------------------------
Were always asking our analysts the following question: seen anything interesting? And yesterday, the answer to our query was this: Gameover ZeuS has some additional strings.Very interesting, indeed.Heres a screenshot of the decrypted strings: • aBitcoinQt_exe • aBitcoind_exe • aWallet_dat • aBitcoinWallet • aBitcoinWalle_0Bitcoin wallet stealing has really moved up from the bush leagues. Gameover ZeuS is a pro.Analysis is ongoing.Heres the SHA1:
---------------------------------------------
http://www.f-secure.com/weblog/archives/00002685.html


*** Target staff IGNORED security alerts as hackers slurped 40m customers card details ***
---------------------------------------------
Reports say staff dithered while hackers went to town Staff at US retailer Target failed to stop the theft of 40 million credit card records last December despite an escalating series of alarms from the companys security systems.…
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/14/target_failed_to_act_on_security_alerts/


*** Debian Security Advisory DSA-2879-1 libssh -- security update ***
---------------------------------------------
It was discovered that libssh, a tiny C SSH library, did not reset the state of the PRNG after accepting a connection. A server mode application that forks itself to handle incoming connections could see its children sharing the same PRNG state, resulting in a cryptographic weakness and possibly the recovery of the private key.
---------------------------------------------
http://www.debian.org/security/2014/dsa-2879


*** Sophos UTM TCP Stack Memory Leak Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Sophos UTM, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within TCP stack and can be exploited to cause a memory leak.
The vulnerability is reported in versions prior to 9.109.
---------------------------------------------
https://secunia.com/advisories/57344


*** Blog: Analysis of, Malware from the MtGox leak archive ***
---------------------------------------------
A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic.
---------------------------------------------
http://www.securelist.com/en/blog/8196/Analysis_of_Malware_from_the_MtGox_leak_archive