[CERT-daily] Tageszusammenfassung - Donnerstag 27-03-2014

Daily end-of-shift report team at cert.at
Thu Mar 27 06:13:07 CET 2014


=======================
= End-of-Shift report =
=======================

Timeframe:   Dienstag 25-03-2014 18:00 − Mittwoch 26-03-2014 18:00
Handler:     Robert Waldner
Co-Handler:  n/a

*** A few updates on "The Moon" worm, (Tue, Mar 25th) ***
---------------------------------------------
It has been over a month since we saw the "Moon" worm first exploiting various Linksys routers. I think it is time for a quick update to summarize some of the things we learned since then:  Much of what we found so far comes thanks to the malware analysis done by Bernado Rodriges. Bernado used QEMU to run the code in a virtual environment. QEMU is as far as I know the only widely available virtualization technique that can simulate a MIPS CPU while running on an x86 host.
---------------------------------------------
http://isc.sans.edu/diary.html?storyid=17855&rss




*** WordPress Pingback-Funktion für DDoS-Attacken missbraucht ***
---------------------------------------------
WordPress Pingback-Funktion für DDoS-Attacken missbraucht24. März 2014
In den letzten Tagen gab es zahlreiche Medienberichte zu DDoS-Angriffen durch Missbrauch der XML-RPC-Pingback-Funktion von WordPress. Einige dieser Beiträge möchte ich, zur weiterführenden Lektüre für Betroffene und Interessierte, im Folgenden auflisten.  Blog Post von Daniel Cid vom Security-Dienstleister Sucuri mit Erklärungen zur Funktionsweise der Attacke. Weiters wird beschrieben,
---------------------------------------------
http://www.cert.at/services/blog/20140324230619-1079.html




*** Bugtraq: CVE-2013-6955 Synology DSM remote code execution ***
---------------------------------------------
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.
---------------------------------------------
http://www.securityfocus.com/archive/1/531602




*** OpenSSL 1.0.0l cache side-channel attack ***
---------------------------------------------
Topic: OpenSSL 1.0.0l cache side-channel attack Risk: Medium Text:The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-tim...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030197




*** Xen HVMOP_set_mem_access Input Validation Flaw Lets Local Guest Users Deny Service on the Host System ***
---------------------------------------------
A local user on the guest operating system can cause denial of service conditions on the host operating system.
The HVMOP_set_mem_access HVM control operations does not properly validate input size. A local administrative user on an HVM guest operating system can consume excessive CPU resources on the host operating system.
On version 4.2, only 64-bit versions of the hypervisor are affected.
Device model emulators (qemu-dm) are affected.
---------------------------------------------
http://www.securitytracker.com/id/1029956




*** Walkthrough of a Recent Zbot Infection and associated CnC Server ***
---------------------------------------------
During routine ThreatLabZ log analysis, we encountered the following malicious Zbot executable connecting back to its CnC and exfiltrating data via POST requests.
---------------------------------------------
http://feedproxy.google.com/~r/zscaler/research/~3/kygTD5dMmHo/walkthrough-of-recent-zbot-infection.html




*** MIT Researchers Create Platform To Build Secure Web Apps That Never Leak Data ***
---------------------------------------------
rjmarvin writes: "Researchers in the MIT Computer Science and Artificial Intelligence Laboratory have developed a platform for building secure web applications and services that never decrypt or leak data. MIT researcher Raluca Ada Popa, who previously worked on the Google and SAP-adopted CryptoDB, and her team, have put a longstanding philosophy into practice: to never store unencrypted data on servers. Theyve redesigned the entire approach to securing online data by creating Mylar, which
---------------------------------------------
http://rss.slashdot.org/~r/Slashdot/slashdot/~3/QIuCSrAxslY/story01.htm




*** PAM timestamp internals bypass authentication ***
---------------------------------------------
Topic: PAM timestamp internals bypass authentication
Risk: Low
Text:Hi When playing with some PAM modules for my own projects, I came across some implications of pam_timestamp (which is part ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014030216




*** Nmap-Erfinder rebootet Full Disclosure ***
---------------------------------------------
Gordon 'Fyodor' Lyon hat die überraschend geschlossene Full-Disclosure-Mailingliste wiederbelebt. Er habe viel Erfahrung mit dem Administrieren von Mailinglisten und keine Angst vor rechtlichen Drohungen, sagt der Sicherheitsexperte.
---------------------------------------------
http://www.heise.de/security/meldung/Nmap-Erfinder-rebootet-Full-Disclosure-2154859.html




*** TYPO3 CMS 6.2 LTS is now available ***
---------------------------------------------
... TYPO3 CMS 6.2 LTS, which was released today. As the second TYPO3 release with long-term support (LTS), TYPO3 CMS 6.2 LTS will receive at least three years of support from the development team behind the open-source software.
---------------------------------------------
http://typo3.org/news/article/typo3-presents-the-latest-version-of-its-free-content-management-system-typo3-cms-62-lts-is-now-av/




*** Jetzt VoIP-Passwort ändern: Kriminelle nutzen erbeutete Fritzbox-Daten aus ***
---------------------------------------------
Die Fritzbox-Angreifer haben anscheinend lange Zeit unbemerkt Zugangsdaten gesammelt, ohne sie zu benutzen. Für die Nutzer hat das jetzt ein übles Nachspiel, denn die meisten Passwörter funktionieren weiterhin. Der Schaden geht in die Hunderttausende.
---------------------------------------------
http://www.heise.de/security/meldung/Jetzt-VoIP-Passwort-aendern-Kriminelle-nutzen-erbeutete-Fritzbox-Daten-aus-2155168.html




*** Splunk Unspecified Cross-Site Scripting Vulnerability ***
---------------------------------------------
A vulnerability has been reported in Splunk, which can be exploited by malicious people to conduct cross-site scripting attacks.
Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerability is reported in versions prior to 5.0.8.
---------------------------------------------
https://secunia.com/advisories/57554




*** libcURL Connection Re-use and Certificate Verification Security Issues ***
---------------------------------------------
Multiple security issues have been reported in libcURL, which can be exploited by malicious people to conduct spoofing attacks and bypass certain security restrictions.
---------------------------------------------
https://secunia.com/advisories/57434




*** 10 rules of thumb of internet safety ***
---------------------------------------------
Malicious parties on the internet try to gain access to your computer, tablet or mobile phone and to intercept personal data. Malware, phishing and spam are frequently occurring threats. These 10 rules of thumb provide a basis to protect yourself against these threats.
---------------------------------------------
http://www.ncsc.nl/english/services/expertise-advice/knowledge-sharing/factsheets/factsheet-10-rules-of-thumb.html




*** New Metasploit 4.9 Helps Evade Anti-Virus Solutions, Test Network Segmentation, and Increase Productivity for Penetration Testers ***
---------------------------------------------
Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately.
---------------------------------------------
https://community.rapid7.com/community/metasploit/blog/2014/03/26/new-metasploit-49-helps-evade-anti-virus-solutions-test-network-segmentation-and-increase-productivity-for-penetration-testers




*** [Honeypot Alert] JCE Joomla Extension Attacks ***
---------------------------------------------
Our web honeypots picked up some increased exploit attempts for an old Joomla Content Editor (JCE) Extension vulnerability.   Although this vulnerability is a few years old, botnet owners are heavily scanning for sites that are vulnerable and attempting to exploit them. 
---------------------------------------------
http://feedproxy.google.com/~r/SpiderlabsAnterior/~3/v7CME1mpcfQ/honeypot-alert-jce-joomla-extension-attacks.html




*** Cisco IOS Software SSL VPN Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the Secure Sockets Layer (SSL) VPN subsystem of Cisco IOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to a failure to process certain types of HTTP requests. To exploit the vulnerability, an attacker could submit crafted requests designed to consume memory to an affected device. An exploit could allow the attacker to consume and fragment memory on the affected device. This may cause reduced performance, a failure of certain processes, or a restart of the affected device.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn




*** Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device. To exploit this vulnerability, affected devices must be configured to process SIP messages. Limited Cisco IOS Software and Cisco IOS XE Software releases are affected.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-sip




*** Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the implementation of the IP version 6 (IPv6) protocol stack in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause I/O memory depletion on an affected device that has IPv6 enabled. The vulnerability is triggered when an affected device processes a malformed IPv6 packet.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ipv6




*** Cisco IOS Software Network Address Translation Vulnerabilities ***
---------------------------------------------
The Cisco IOS Software implementation of the Network Address Translation (NAT) feature contains two vulnerabilities when translating IP packets that could allow an unauthenticated, remote attacker to cause a denial of service condition.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat




*** Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability ***
---------------------------------------------
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device that would lead to a denial of service (DoS) condition.
The vulnerability is due to how an affected device processes certain malformed IKEv2 packets. An attacker could exploit this vulnerability by sending malformed IKEv2 packets to an affected device to be processed. An exploit could allow the attacker to cause a reload of the affected device that would lead to a DoS condition.
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2




*** Web Browser Security Revisited (Part 5) ***
---------------------------------------------
In Part 1 of this series, we discussed the importance of web browser security and some security-related issues that are common to all or many of the popular browsers today. In Part 2, we talked about some specific security mechanisms that are built into Internet Explorer and how they're implemented. In Part 3, we looked at how to configure IE for best security. In Part 4, we examined how to do the same with Google Chrome. This time, we'll look at ... Chrome for Business.
---------------------------------------------
http://www.windowsecurity.com/articles-tutorials/Web_Application_Security/web-browser-security-revisited-part5.html




*** Vuln: Apple Mac OS X APPLE-SA-2014-02-25-1 Multiple Security Vulnerabilities ***
---------------------------------------------
Apple Mac OS X is prone to multiple vulnerabilities.
The update addresses new vulnerabilities that affect ATS, CFNetwork Cookies, CoreAnimation, CoreText, Date and Time, curl, QuickTime, QuickLook, Finder, and File Bookmark components.
Attackers can exploit these issues to execute arbitrary code, gain unauthorized access, bypass security restrictions, and perform other attacks. Failed attacks may cause denial-of-service conditions.
These issues affect OS X versions prior to 10.9.2. 
---------------------------------------------
http://www.securityfocus.com/bid/65777






More information about the Daily mailing list