[CERT-daily] Tageszusammenfassung - Montag 17-03-2014

Mon Mar 17 18:13:09 CET 2014

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 14-03-2014 18:00 − Montag 17-03-2014 18:00
Handler:     Robert Waldner
Co-Handler:  Stephan Richter


*** Security Exploit Patched on vBulletin - PHP Object Injection ***
---------------------------------------------
The vBulletin team just issued a warning, and released patches for a security exploit that affected all versions of vBulletin including 3.5, 3.6, 3.7, 3.8, 4.X, 5.X. They recommend that anyone using vBulletin apply these patches as soon as possible. Here is part of their announcement: A security issue has been found that affects all...
---------------------------------------------
http://blog.sucuri.net/2014/03/security-exploit-patched-on-vbulletin-php-object-injection.html


*** Pwn2Own results for Wednesday (Day One) ***
---------------------------------------------
At Pwn4Fun, Google delivered a very impressive exploit against Apple Safari launching Calculator as root on Mac OS X. ZDI presented a multi-stage exploit, including an adaptable sandbox bypass, against Microsoft Internet Explorer, launching Scientific Calculator (running in medium integrity) with continuation.
---------------------------------------------
http://www.pwn2own.com/2014/03/pwn2own-results-for-wednesday-day-one/


*** Pwn2Own results for Thursday (Day Two) ***
---------------------------------------------
... Vulnerabilities were successfully presented on Thursday in the Pwn2Own competition ... against Google Chrome, Microsoft Internet Explorer, Apple Safari, Mozilla Firefox, Adobe Flash.
---------------------------------------------
http://www.pwn2own.com/2014/03/pwn2own-results-thursday-day-two/


*** Verschlüsselung: Caesar-Wettbewerb sucht authentifizierte Verschlüsselung ***
---------------------------------------------
Die erste Runde des Caesar-Wettbewerbs hat begonnen. Das Ziel: Kryptografen suchen bessere Algorithmen für authentifizierte Verschlüsselung.
---------------------------------------------
http://www.golem.de/news/verschluesselung-caesar-wettbewerb-sucht-authentifizierte-verschluesselung-1403-105182-rss.html


*** The Long Tail of ColdFusion Fail ***
---------------------------------------------
Earlier this month, I published a story about a criminal hacking gang using Adobe ColdFusion vulnerabilities to build a botnet of hacked e-commerce sites that were milked for customer credit card data. Todays post examines the impact that this botnet has had on several businesses, as well as the important and costly lessons these companies learned from the intrusions.
---------------------------------------------
http://krebsonsecurity.com/2014/03/the-long-tail-of-coldfusion-fail/


*** Webstorage-App von Asus schwächelt erneut bei SSL ***
---------------------------------------------
Eine eigentlich behobene SSL-Lücke in der Android-App für den Asus-Onlinespeicher Webstorage ist auferstanden: Die aktuelle App-Version überpüft nicht das vom Onlinespeicher übermittelte Serverzertifikat.
---------------------------------------------
http://www.heise.de/security/meldung/Webstorage-App-von-Asus-schwaechelt-erneut-bei-SSL-2148420.html


*** iOS 7 has weak random number generator ***
---------------------------------------------
Trivial to break, says researcher In an effort to improve iDevice security, Apple replaced its internal random number generator between iOS 6 and iOS 7 - but a security researcher believes Cupertino inadvertently downgraded security.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2014/03/16/ios_7_has_weak_random_number_generator/


*** VU#381692: Webmin contains a cross-site scripting vulnerability ***
---------------------------------------------
Vulnerability Note VU#381692 Webmin contains a cross-site scripting vulnerability Original Release date: 14 Mar 2014 | Last revised: 14 Mar 2014   Overview Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability.  Description CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Webmin 1.670, and possibly earlier versions, contains a cross-site scripting vulnerability in the "search" parameter of the view.cgi...
---------------------------------------------
http://www.kb.cert.org/vuls/id/381692


*** Siemens SIMATIC S7-1500 CPU Firmware Vulnerabilities ***
---------------------------------------------
Siemens and Positive Technology researchers (Yury Goltsev, Llya Karpov, Alexey Osipov, Dmitry Serebryannikov and Alex Timorin) have identified nine firmware vulnerabilities in the Siemens SIMATIC S7-1500 CPU Firmware. Siemens has produced a patch that mitigates these vulnerabilities.These vulnerabilities could be exploited remotely. ---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-073-01


*** OpenX 2.8.11 Cross Site Request Forgery ***
---------------------------------------------
Topic: OpenX 2.8.11 Cross Site Request Forgery Risk: Low Text: Hello, Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2.8.11and earlier allows remote attackers to ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030121


*** iOS 7 Arbitrary Code Execution ***
---------------------------------------------
When a specific value is supplied in USB Endpoint descriptor for a HID device the Apple device kernel panics and reboots
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030126


*** GNU Readline Insecure usage of temporary files ***
---------------------------------------------
Topic: GNU Readline Insecure usage of temporary files Risk: Medium Text: Whilst auditing some code for insecure uses of temporary files I spotted a potential area of concern in GNU readline. (...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030129


*** HPSBNS02969 rev.1 - HP NonStop Servers running Java 7, Multiple Remote Vulnerabilities affecting Confidentiality, Integrity and Availability ***
---------------------------------------------
Potential vulnerabilities have been identified with HP NonStop Servers running Java 7. The vulnerabilities could be exploited remotely affecting confidentiality, integrity and availability.
---------------------------------------------
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04126444