[CERT-daily] Tageszusammenfassung - Freitag 30-05-2014

Daily end-of-shift report team at cert.at
Fri May 30 18:09:33 CEST 2014


=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 29-05-2014 18:00 − Freitag 30-05-2014 18:00
Handler:     Alexander Riepl
Co-Handler:  Stephan Richter




*** Third-Party Auth Token Theft: The Big Picture ***
---------------------------------------------
Nothing sets the technical journalists abuzz like the prospect of a catastrophic, Internet-wide vulnerability. Fresh off the very legitimate excitement over Heartbleed, some media outlets were hoping for a new scoop with "Covert Redirections". Spoiler alert: there's no catastrophe. For those that haven't heard, this started with a paper and series of blog posts by Wang Jing. Wang describes an attack against websites that use third-party authentication services and are...
---------------------------------------------
http://blog.spiderlabs.com/2014/05/third-party_auth_token_theft_the_big_picture.html




*** Ende von Truecrypt: Entwickler hat angeblich Interesse verloren ***
---------------------------------------------
Einer der Entwickler von Truecrypt hat sich angeblich zu Wort gemeldet und die Beweggründe für das plötzliche Aus erklärt: Man habe das Interesse verloren. Einer Weiterentwicklung durch die Community steht er demnach kritisch gegenüber.
---------------------------------------------
http://www.heise.de/security/meldung/Ende-von-Truecrypt-Entwickler-hat-angeblich-Interesse-verloren-2211228.html




*** Hintergrund: Truecrypt ist unsicher - und jetzt? ***
---------------------------------------------
Sollten wir jetzt wirklich alle auf Bitlocker umsteigen, wie es die Truecrypt-Entwickler vorschlagen? Einen echten Nachfolger wird es jedenfalls so bald nicht geben - und daran sind nicht zu letzt auch die Truecrypt-Entwickler schuld.
---------------------------------------------
http://www.heise.de/security/artikel/Truecrypt-ist-unsicher-und-jetzt-2211475.html




*** ThreadFix v2.1M1 Released ***
---------------------------------------------
ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. ThreadFix is licensed under the Mozilla Public License (MPL) version 2.0.
---------------------------------------------
http://www.toolswatch.org/2014/05/threadfix-v2-1m1-released/




*** New Attack Methods Can brick Systems, Defeat Secure Boot, Researchers Say ***
---------------------------------------------
IDG News Service - The Secure Boot security mechanism of the Unified Extensible Firmware Interface (UEFI) can be bypassed on around half of computers that have the feature enabled in order to install bootkits, according to a security researcher.
---------------------------------------------
http://www.cio.com/article/753439/New_Attack_Methods_Can_39_brick_39_Systems_Defeat_Secure_Boot_Researchers_Say




*** Thieves Planted Malware to Hack ATMs ***
---------------------------------------------
A recent ATM skimming attack in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come.
---------------------------------------------
http://krebsonsecurity.com/2014/05/thieves-planted-malware-to-hack-atms/




*** Heartbleed-Bug: OpenSSL bekommt Security-Audit und zwei Festangestellte ***
---------------------------------------------
Die Linux-Foundation sammelt Geld für Kern-Infrastruktur wie OpenSSL und gibt nun erste Pläne bekannt. Beraten sollen das Projekt Linux-Kernel-Hacker und Bruce Schneier sowie Eben Moglen.
---------------------------------------------
http://www.golem.de/news/heartbleed-bug-openssl-bekommt-security-audit-und-zwei-festangestellte-1405-106827-rss.html




*** When Networks Turn Hostile ***
---------------------------------------------
We've previously discussed how difficult it is to safely connect to networks when on the go. This is particularly true on vacations and holidays, where the availability of Internet access is one of the most important factors when looking for a place to stay. In fact, many holiday lodges and hotels today have made Wi-Fi access an...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/CL6K-SnbQJQ/




*** Triangle MicroWorks Uncontrolled Resource Consumption ***
---------------------------------------------
Adam Crain of Automatak and Chris Sistrunk of Mandiant have identified an uncontrolled resource consumption vulnerability in Triangle MicroWorks products and third-party components. Triangle MicroWorks has produced an update that mitigates this vulnerability.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-149-01




*** Cogent Datahub Vulnerabilities ***
---------------------------------------------
Independent researcher Alain Homewood has identified four vulnerabilities in the Cogent Real-Time Systems DataHub application. Cogent Real-Time Systems has produced a new version that mitigates three of the four identified vulnerabilities; they have recommended a mitigation for the unresolved vulnerability. The researcher has tested the new version to validate that it resolves three of the four vulnerabilities.
---------------------------------------------
http://ics-cert.us-cert.gov/advisories/ICSA-14-149-02




*** VMSA-2014-0005 ***
---------------------------------------------
VMware Workstation, Player, Fusion, and ESXi patches address a guest privilege escalation
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2014-0005.html




*** VMSA-2014-0002.3 ***
---------------------------------------------
VMware vSphere updates to third party libraries
---------------------------------------------
http://www.vmware.com/security/advisories/VMSA-2014-0002.html




*** ElasticSearch Dynamic Script Arbitrary Java Execution ***
---------------------------------------------
Topic: ElasticSearch Dynamic Script Arbitrary Java Execution Risk: High Text:## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-fr...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2014050154




*** VU#325636: Huawei E303 contains a cross-site request forgery vulnerability ***
---------------------------------------------
Vulnerability Note VU#325636 Huawei E303 contains a cross-site request forgery vulnerability Original Release date: 30 May 2014 | Last revised: 30 May 2014   Overview The built-in web interface of Huawei E303 devices contains a cross-site request forgery vulnerability.  Description Huawei E303 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to send and receive SMS messages using the connected cellular network. CWE-352:
---------------------------------------------
http://www.kb.cert.org/vuls/id/325636




*** VU#124908: Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability ***
---------------------------------------------
Vulnerability Note VU#124908 Dell ML6000 and Quantum Scalar i500 tape backup system command injection vulnerability Original Release date: 30 May 2014 | Last revised: 30 May 2014   Overview Dell ML6000 and Quantum Scalar i500 tape backup system contain a command injection vulnerability.  Description CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)Dells and Quantums advisories state the following:The tape librarys remote user interface...
---------------------------------------------
http://www.kb.cert.org/vuls/id/124908


More information about the Daily mailing list