[CERT-daily] Tageszusammenfassung - Montag 3-08-2015

Mon Aug 3 18:10:38 CEST 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Freitag 31-07-2015 18:00 − Montag 03-08-2015 18:00
Handler:     Stephan Richter
Co-Handler:  n/a


*** One font vulnerability to rule them all #1: Introducing the BLEND vulnerability ***
---------------------------------------------
Posted by Mateusz Jurczyk of Google Project ZeroLast month, I presented parts of my PostScript font security research at the REcon security conference in Montreal, in a talk titled "One font vulnerability to rule them all: A story of cross-software ownage, shared codebases and advanced exploitation". This talk discussed the exploitation process of a vulnerability found in the implementation of a BLEND Charstring instruction, discovered in a user-mode Adobe Reader's CoolType...
---------------------------------------------
http://googleprojectzero.blogspot.com/2015/07/one-font-vulnerability-to-rule-them-all.html


*** Schwachstellen: Fernzugriff öffnet Autotüren ***
---------------------------------------------
Einem Hacker ist es gelungen, sich in die Software Onstar Remotelink des US-Autoherstellers General Motors einzuklinken. Damit lässt sich das Fahrzeug entriegeln und sogar starten. Wegfahren konnte er mit dem gehackten Fahrzeug aber nicht.
---------------------------------------------
http://www.golem.de/news/schwachstellen-fernzugriff-oeffnet-autotueren-1508-115533-rss.html


*** Angriff auf Dell-Firmware nach Tiefschlaf ***
---------------------------------------------
Nach dem Aufwachen aus dem Standby vergisst die Firmware einiger Dell-Rechner, sich selbst vor Schreibzugriffen zu schützen. So könnten Angreifer Schadcode in die Firmware schleusen.
---------------------------------------------
http://heise.de/-2766940


*** Sicherheitslücken im Android-Multimedia-System eskalieren ***
---------------------------------------------
Die Schwachstellen im Multimedia-System sind gefährlicher als zuerst vermutet: Mit manipulierten MP4-Videos könnten Angreifer Kontrolle übers Smartphone erlangen.
---------------------------------------------
http://heise.de/-2766925


*** Your Security Policy Is So Lame, (Sun, Aug 2nd) ***
---------------------------------------------
Every person should avoid lame security policies because of the lack of clarity they leave behind. Often times we find ourselves forced into creating security policies due to compliance requirements. Is there a way to lean into this requirement and get value beyond the checkbox? I certainly think so and would like to share some ideas on how you can do this as well. ">I personally avoided being the policy guy">">The following are several tips and tricks you can use to
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19991&rss


*** Microsoft Windows 10 spies on you by default ***
---------------------------------------------
While Microsoft is offering for free it new Windows 10 OS, security experts argue that the cost for user privacy is much higher. Microsoft Windows 10 is the new operating system of the IT giant, the newborn already reached more than 14 million downloads in just two days. The experts who have already analyzed Windows 10...
---------------------------------------------
http://securityaffairs.co/wordpress/39042/digital-id/windows-10-privacy.html


*** BIND9 - Denial of Service Exploit in the Wild ***
---------------------------------------------
BIND is one of the most popular DNS servers in the world. It comes bundled with almost every cPanel, VPS and dedicated server installation and is used by most DNS providers. A week ago, the Internet Systems Consortium (ISC) team released a patch for a serious denial of service vulnerability (CVE-2015-5477) that allows a remote...
---------------------------------------------
http://feedproxy.google.com/~r/sucuri/blog/~3/RmxRTNcW95o/bind9-denial-of-service-exploit-in-the-wild.html


*** Chrome extensions crocked with simple attack ***
---------------------------------------------
Security-enhancer HTTPS Everywhere switched off with this one weird trick Detectify researcher Mathias Karlsson says attackers can remove Google Chrome extensions, including the popular HTTPS Everywhere extension, if users do nothing else but visit a web page.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2015/08/03/detectify_disabling_chrome_extensions_https_everywhere/


*** Hijacking Satellite Communications with a $1,000 Device ***
---------------------------------------------
A security researcher demonstrated how to hack a satellite tracking technology with a $1,000 device made of off the shelf components. Colby Moore, a security expert from security firm Synack, will present in a talk at the next Black Hat Conference how to hack satellite tracking technology by using a $1,000 device made of off...
---------------------------------------------
http://securityaffairs.co/wordpress/39051/digital-id/hijacking-satellite-communications.html


*** Researchers Create First Firmware Worm That Attacks Macs ***
---------------------------------------------
The common wisdom is that Apple computers are more secure than PCs. It turns out this isnt true.
---------------------------------------------
http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/


*** Anonymisierung: Weiterer Angriff auf das Tor-Netzwerk beschrieben ***
---------------------------------------------
Forscher haben eine weitere Möglichkeit entdeckt, Benutzerzugriffe auf Tors Hidden Services zu entlarven. Ihr Angriff benötige aber eine gehörige Portion Glück, schreiben sie. Auch die Tor-Betreiber wiegeln ab.
---------------------------------------------
http://www.golem.de/news/anonymisierung-weiterer-angriff-auf-das-tor-netzwerk-beschrieben-1508-115547-rss.html


*** Your SSH Server On Port 8080 Is No Longer "Hidden" Or "Safe", (Mon, Aug 3rd) ***
---------------------------------------------
I am seeing some scanning for SSH servers on port 8080 in web server logs for web servers that listen on this port. So far, I dont see any scans like this for web servers listening on port 80. In web server logs, the scan is reflected as an Invalid Method (error 501) as the web server only sees the banner provided by the SSHclient, and of course can not respond. For example: 222.186.21.180 - - [03/Aug/2015:08:31:55 +0000] SSH-2.0-libssh2_1.4.3 501 303 - - This IP address in this example is for...
---------------------------------------------
https://isc.sans.edu/diary.html?storyid=19995&rss


*** Designing the Perfect Security Awareness Newsletter ***
---------------------------------------------
Even in smaller organizations, a regular security awareness newsletter can support effective, participative security. While your organization's editorial rules could be a creative break on a really great newsletter, the following tips can help you build up an effective one that will be welcomed by associates and be an asset to the organization's security. Do...
---------------------------------------------
http://resources.infosecinstitute.com/designing-the-perfect-security-awareness-newsletter/


*** Windows 10 Upgrade Spam Carries CTB-Locker Ransomware ***
---------------------------------------------
Spam messages spoofing Microsoft and promising a free Windows 10 upgrade instead drop the CTB-Locker crypto-ransomware on compromised machines.
---------------------------------------------
http://threatpost.com/windows-10-upgrade-spam-carries-ctb-locker-ransomware/114114


*** Google Android Buffer Overflows in DHCP Let Remote Users Execute Arbitrary Code ***
---------------------------------------------
http://www.securitytracker.com/id/1033124


*** D-Link DCS-2103 1.20 CSRF / Cross Site Scripting ***
---------------------------------------------
Topic: D-Link DCS-2103 1.20 CSRF / Cross Site Scripting Risk: Medium Text:Hello list! There are Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities in D-Link DCS-2103 (IP camera). ...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015080016


*** VU#360431: Chiyu Technology fingerprint access control contains multiple vulnerabilities ***
---------------------------------------------
Vulnerability Note VU#360431 Chiyu Technology fingerprint access control contains multiple vulnerabilities Original Release date: 31 Jul 2015 | Last revised: 31 Jul 2015   Overview Multiple models of Chiyu Technology fingerprint access control devices contain a cross-site scripting (XSS) vulnerability and an authentication bypass vulnerability.  Description CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-2870According to the reporter,  tags are...
---------------------------------------------
http://www.kb.cert.org/vuls/id/360431


*** Juniper Pulse Secure TCP Hardware Acceleration Flaw Lets Remote Users Access Data on the Target System ***
---------------------------------------------
http://www.securitytracker.com/id/1033166


*** FortiSandbox WebUI Multiple XSS vulnerabilities ***
---------------------------------------------
Topic: FortiSandbox WebUI Multiple XSS vulnerabilities Risk: Low Text:[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/a...
---------------------------------------------
http://cxsecurity.com/issue/WLB-2015080004


*** DSA-3322 ruby-rack - security update ***
---------------------------------------------
Tomek Rabczak from the NCC Group discovered a flaw in thenormalize_params() method in Rack, a modular Ruby webserver interface.A remote attacker can use this flaw via specially crafted requests tocause a `SystemStackError` and potentially cause a denial of servicecondition for the service.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3322


*** DSA-3326 ghostscript - security update ***
---------------------------------------------
William Robinet and Stefan Cornelius discovered an integer overflow inGhostscript, the GPL PostScript/PDF interpreter, which may result indenial of service or potentially execution of arbitrary code if aspecially crafted file is opened.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3326


*** DSA-3325 apache2 - security update ***
---------------------------------------------
Several vulnerabilities have been found in the Apache HTTPD server.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3325


*** DSA-3323 icu - security update ***
---------------------------------------------
Several vulnerabilities were discovered in the International Componentsfor Unicode (ICU) library.
---------------------------------------------
https://www.debian.org/security/2015/dsa-3323


*** IBM Security Bulletins ***
---------------------------------------------

*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) - IBM Java SDK updates July 2015 ***
http://www.ibm.com/support/docview.wss?uid=swg21963354

*** IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Security Network Intrusion Prevention System ***
http://www.ibm.com/support/docview.wss?uid=swg21962039

*** IBM Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Access Manager for Web ***
http://www.ibm.com/support/docview.wss?uid=swg21963096

*** IBM Security Bulletin: A vulnerability in Diffie-Hellman ciphers affects IBM Security Network Intrusion Prevention System (CVE-2015-4000) ***
http://www.ibm.com/support/docview.wss?uid=swg21962045

*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cloud Manager with OpenStack (CVE-2015-0486 CVE-2015-0491 CVE-2015-0459 CVE-2015-0469 CVE-2015-0458 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-2808 ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022548

*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM SmartCloud Entry (CVE-2015-0486 CVE-2015-0491 CVE-2015-0459 CVE-2015-0469 CVE-2015-0458 CVE-2015-0480 CVE-2015-0488 CVE-2015-0478 CVE-2015-0477 CVE-2015-2808 ***
http://www.ibm.com/support/docview.wss?uid=isg3T1022550

*** IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security Access Manager for Web and IBM Tivoli Access Manager for e-business ***
http://www.ibm.com/support/docview.wss?uid=swg21963126

*** IBM Security Bulletin: Multiple vulnerabilities in the unzip utility affect IBM Security Access Manager for Web ***
http://www.ibm.com/support/docview.wss?uid=swg21963094

*** IBM Security Bulletin: Vulnerabilities in unzip affect IBM Security Network Intrusion Prevention System (CVE-2014-8139, CVE-2014-8140, CVE-2014-8141, and CVE-2014-9636 ) ***
http://www.ibm.com/support/docview.wss?uid=swg21962038