[CERT-daily] Tageszusammenfassung - Montag 3-11-2014

Daily end-of-shift report team at cert.at
Mon Nov 3 18:14:37 CET 2014


=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 31-10-2014 18:00 − Montag 03-11-2014 18:00
Handler:     Stephan Richter
Co-Handler:  n/a




*** CVE-2014-4115 Analysis: Malicious USB Disks Allow For Possible Whole System Control ***
---------------------------------------------
One of the bulletins that was part of the October 2014 Patch Tuesday cycle was MS14-063 which fixed a vulnerability in the FAT32 disk partition driver that could allow for an attacker to gain administrator rights on affected systems, with only a USB disk with a specially modified file system. This vulnerability as also designated...
---------------------------------------------
http://feeds.trendmicro.com/~r/Anti-MalwareBlog/~3/E2Ur54TO5Qo/




*** CSAM Month of False Positives: Appropriately Weighting False and True Positives, (Fri, Oct 31st) ***
---------------------------------------------
This is a guest diary submitted by Chris Sanders. We will gladly forward any responses or please use our comment/forum section to comment publicly.">">If you work with any type of IDS, IPS, or other">detection technology then you have to deal with false positives. One">common">mistake I see people make when managing their indicators and rules is">relying">solely on the rate of false positives that are observed. While...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18905&rss




*** CVE-2012-0158 continues to be used in targeted attacks ***
---------------------------------------------
30-month old vulnerability still a popular way to infect systems.If all you have to worry about are zero-day vulnerabilities, you have got things pretty well sorted. Although it is true that sometimes zero-days are being used to deliver malware (such as the recent use of CVE-2014-4114 by the SandWorm group), in many cases even the more targeted attacks get away with using older, long patched vulnerabilities, exploiting the fact that many users and organisations dont patch as quickly as they
---------------------------------------------
http://www.virusbtn.com/blog/2014/10_31a.xml?rss




*** Reversing D-Link's WPS Pin Algorithm ***
---------------------------------------------
While perusing the latest firmware for D-Link's DIR-810L 80211ac router, I found an interesting bit of code in sbin/ncc, a binary which provides back-end services used by many other processes on the device, including the HTTP and UPnP servers: I first began examining this particular piece of code with the...
---------------------------------------------
http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/




*** Adobe: Aktuelle Flash-Sicherheitslücken bereits in Exploit-Kits ***
---------------------------------------------
Es wird wieder Zeit, sich bei Sicherheitslücken verstärkt um Adobes Flashplayer zu kümmern. Zwei gerade erst abgesicherte und gefährliche Sicherheitslöcher sind bereits in aktuelle Exploit-Kits integriert worden. Eset glaubt sogar, dass Flash nun wieder Java in der Beliebtheitsskala ablöst.
---------------------------------------------
http://www.golem.de/news/adobe-aktuelle-flash-sicherheitsluecken-bereits-in-exploit-kits-1411-110247-rss.html




*** justniffer a Packet Analysis Tool, (Mon, Nov 3rd) ***
---------------------------------------------
Are you looking for another packet sniffer? justniffer is a packet sniffer with some interesting features. According to the author, this packet sniffer can rebuild and save HTTP file content sent over the network. It uses portions of Linux kernel source code for handling all TCP/IP stuff. Precisely, it uses a slightly modified version of the libnids libraries that already include a modified version of Linux code in a more reusable way.[1] The tarball can be downloaded here and a package is
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=18907&rss




*** BE2 Custom Plugins, Router Abuse, and Target Profiles ***
---------------------------------------------
The BlackEnergy malware is crimeware turned APT tool and is used in significant geopolitical operations lightly documented over the past year. An even more interesting part of the BlackEnergy story is the relatively unknown custom plugin capabilities to attack ARM...
---------------------------------------------
http://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/




*** Security: Sicherheitslücke in Mac OS X 10.10 entdeckt ***
---------------------------------------------
In Mac OS X 10.10 und 10.8.5 befindet sich eine Sicherheitslücke, die die Übernahme des gesamten Systems ermöglicht. Details hat ihr Entdecker noch nicht veröffentlicht - in Absprache mit Apple.
---------------------------------------------
http://www.golem.de/news/security-sicherheitsluecke-in-mac-os-x-10-10-entdeckt-1411-110265-rss.html




*** OpenBSD 5.6 kickt OpenSSL ***
---------------------------------------------
Mit der neuen Version des freien Unix steigen die OpenBSD-Macher von OpenSSL auf LibreSSL um. Dazu kommen zahlreiche kleinere Verbesserungen.
---------------------------------------------
http://www.heise.de/newsticker/meldung/OpenBSD-5-6-kickt-OpenSSL-2441288.html/from/rss09?wt_mc=rss.ho.beitrag.rdf




*** Hacking Team: Handbücher zeigen Infektion Über Code Injection und WLAN ***
---------------------------------------------
"Internetüberwachung leicht gemacht": Die italienische Firma Hacking Team gilt neben Finfisher als bekanntester Hersteller von Spionagesoftware. Nun veröffentlichte Handbücher zeigen die Möglichkeiten der Überwachung.
---------------------------------------------
http://www.golem.de/news/hacking-team-handbuecher-zeigen-infektion-ueber-code-injection-und-wlan-1411-110272-rss.html




*** RDP Replay ***
---------------------------------------------
Here at Context we work hard to keep our clients safe. During routine client monitoring our analysts noticed some suspicious RDP traffic. It was suspicious for two reasons. Firstly the client was not in the habit of using RDP, and secondly it had a Chinese keyboard layout. This information is available in the ClientData handshake message of non-SSL traffic, and can easily be seen in wireshark.
---------------------------------------------
http://contextis.com/resources/blog/rdp-replay/




*** l+f: Analyse des Drupal-Desasters ***
---------------------------------------------
Wie konnte das nur passieren? Müssen wir alle sterben?
---------------------------------------------
http://www.heise.de/security/meldung/l-f-Analyse-des-Drupal-Desasters-2441484.html




*** Visa: Kreditkarten-Lücke ermöglicht Abbuchen von einer Million Dollar per NFC ***
---------------------------------------------
Mittels präpariertem Terminal - Forscher stellen Leck auf Sicherheitskonferenz vor - Visa beschwichtigt
---------------------------------------------
http://derstandard.at/2000007655779




*** Ongoing Sophisticated Malware Campaign Compromising ICS (Update A) ***
---------------------------------------------
This alert update is a follow-up to the original NCCIC/ICS-CERT Alert titled ICS-ALERT-14-281-01 Ongoing Sophisticated Malware Campaign Compromising ICS that was published October 28, 2014, on the ICS-CERT web site.
---------------------------------------------
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01A




*** Bugtraq: [SE-2014-01] Missing patches / inaccurate information regarding Oracle Oct CPU ***
---------------------------------------------
http://www.securityfocus.com/archive/1/533862




*** HP CM3530 Color LaserJet Printer Lets Remote Users Access Data and Deny Service ***
---------------------------------------------
http://www.securitytracker.com/id/1031153




*** CBI Referral Manager <= 1.2.1 Cross-Site Scripting (XSS) ***
---------------------------------------------
2014-11-01T18:57:24
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7654




*** GB Gallery Slideshow 1.5 - SQL Injection ***
---------------------------------------------
2014-11-02T13:12:44
---------------------------------------------
https://wpvulndb.com/vulnerabilities/7655




*** Vuln: MantisBT Incomplete Fix Multiple SQL Injection Vulnerabilities ***
---------------------------------------------
http://www.securityfocus.com/bid/70856




*** VU#210620: uIP and lwIP DNS resolver vulnerable to cache poisoning ***
---------------------------------------------
Vulnerability Note VU#210620 uIP and lwIP DNS resolver vulnerable to cache poisoning Original Release date: 03 Nov 2014 | Last revised: 03 Nov 2014   Overview The DNS resolver implemented in uIP and lwIP is vulnerable to cache poisoning due to non-randomized transaction IDs (TXIDs) and source port reuse.  Description CWE-330: Use of Insufficiently Random Values - CVE-2014-4883The DNS resolver implemented in all versions of uIP, as well as lwIP versions 1.4.1 and earlier, is vulnerable to cache...
---------------------------------------------
http://www.kb.cert.org/vuls/id/210620




*** IBM Security Bulletin: Weaker than expected security with Liberty Repository affecting Rational Application Developer for WebSphere Software (CVE-2014-4767) ***
---------------------------------------------
The WebSphere Application Server Liberty profile could provide weaker than expected security when installing features via the Liberty Repository. A remote attacker could exploit this vulnerability using a man-in-the-middle technique to cause the installation of malicious code.  CVE(s): CVE-2014-4767  Affected product(s) and affected version(s):   IBM Rational Application Developer for WebSphere Software 9.1.0.1    Refer to the following reference URLs for remediation and additional
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_weaker_than_expected_security_with_liberty_repository_affecting_rational_application_developer_for_websphere_software_cve_2014_4767?lang=en_us




*** IBM Security Bulletin: Multiple Security vulnerabilities found in WebSphere Commerce XML External Entity (XXE) Processing (CVE-2014-4834, CVE-2014-4769 ) ***
---------------------------------------------
IBM WebSphere Commerce Enterprise, Professional, Express and Developer is vulnerable to a denial of service, caused by issues with detecting recursion during entity expansion.  CVE(s): CVE-2014-4834 and CVE-2014-4769  Affected product(s) and affected version(s):   WebSphere Commerce V6.0 and V7.0    Refer to the following reference URLs for remediation and additional vulnerability details: Source Bulletin:
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_multiple_security_vulnerabilities_found_in_websphere_commerce_xml_external_entity_xxe_processing_cve_2014_4834_cve_2014_4769?lang=en_us




*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ***
---------------------------------------------
There are multiple vulnerabilities in OpenSSL that is used by IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139). These issues were disclosed on August 6, 2014 by the OpenSSL Project.  CVE(s): CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512 and CVE-2014-5139  Affected...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_multiple_vulnerabilities_in_openssl_affect_ibm_tivoli_netcool_system_service_monitors_application_service_monitors?lang=en_us




*** IBM Security Bulletin: IBM Notes Traveler for Android client explicit warning against use of HTTP (CVE-2014-6130) ***
---------------------------------------------
The IBM Notes Traveler client for Android devices allows the end user to connect to their Traveler server over HTTPS (using SSL) or the open HTTP standard. At present, the client application does not explicitly warn the end user if the Traveler administrator has chosen the insecure HTTP variant as the transport medium.  CVE(s): CVE-2014-6130  Affected product(s) and affected version(s):   All releases of IBM Notes Traveler for Android prior to version 9.0.1.3.     Refer to the following...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_ibm_notes_traveler_for_android_client_explicit_warning_against_use_of_http_cve_2014_6130?lang=en_us




*** IBM Security Bulletin: IBM Tivoli NetView for z/OS (distributed components) affected by multiple vulnerabilities that have been identified in IBM Runtime Environment, Java Technology Edition, Versions 6 & 7 (CVE-2014-4263 and ***
---------------------------------------------
Vulnerabilities have been identified in IBM Runtime Environment, Java Technology Edition, Versions 6 and 7, utilized by IBM Tivoli NetView for z/OS distributed components.  CVE(s): CVE-2014-4263 and CVE-2014-4244  Affected product(s) and affected version(s):    This vulnerability is known to affect IBM Tivoli NetView for z/OS v5.3, 5.4, 6.1, 6.2 & 6.2.1 in certain distributed components.  Releases/systems/configurations not known to be affected: IBM Tivoli NetView for...
---------------------------------------------
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_ibm_tivoli_netview_for_z_os_distributed_components_affected_by_multiple_vulnerabilities_that_have_been_identified_in_ibm_runtime_environment_java_technology_edition_versions_


More information about the Daily mailing list