[CERT-daily] Tageszusammenfassung - Freitag 18-12-2015

Fri Dec 18 18:09:53 CET 2015

=======================
= End-of-Shift report =
=======================

Timeframe:   Donnerstag 17-12-2015 18:00 − Freitag 18-12-2015 18:00
Handler:     Stephan Richter
Co-Handler:  Alexander Riepl


*** JSA10713 - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Multiple Security issues with ScreenOS (CVE-2015-7755) ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10713


*** JSA10712 - 2015-12 Out of Cycle Security Bulletin: ScreenOS: Crafted SSH negotiation may trigger system crash (CVE-2015-7754) ***
---------------------------------------------
http://kb.juniper.net/index?page=content&id=JSA10712


*** Cisco Model DPQ3925 Wireless Residential Gateway Information Disclosure Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151217-gateway


*** Schneider Electric Modicon M340 Buffer Overflow Vulnerability ***
---------------------------------------------
This advisory contains mitigation details for a buffer overflow vulnerability in Schneider Electric's Modicon M340 PLC product line.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01


*** Motorola MOSCAD SCADA IP Gateway Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for Remote File Inclusion and Cross-Site Request Forgery vulnerabilities in Motorola Solutions MOSCAD IP Gateway.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-02


*** eWON Vulnerabilities ***
---------------------------------------------
This advisory contains mitigation details for several vulnerabilities in the eWON sa industrial router.
---------------------------------------------
https://ics-cert.us-cert.gov/advisories/ICSA-15-351-03


*** Microsoft will stop trusting certificates from 20 Certificate Authorities ***
---------------------------------------------
Starting on January 2016, Microsofts Trusted Root Certificate Program will no longer include twenty currently trusted CAs and will remove their root certificates removed from the Trusted ..
---------------------------------------------
http://www.net-security.org/secworld.php?id=19252


*** Docker and Enterprise Security: Establishing Best Practices ***
---------------------------------------------
Virtualization containers, with their extraordinarily efficient hardware utilization, can be like a dream come true for development teams. While containerization will probably ..
---------------------------------------------
http://resources.infosecinstitute.com/docker-and-enterprise-security-establishing-best-practices/


*** IBM Security Bulletins ***
---------------------------------------------
*** Infosphere BigInsights is affected by a vulnerability in DB2 (CVE-2015-1947) ***
http://www.ibm.com/support/docview.wss?uid=swg21967131
---------------------------------------------
*** IBM InfoSphere Balanced Warehouse C3000, C4000, IBM Smart Analytics System 1050, 2050 and 5710 are affected by multiple vulnerabilities in OpenSSL ***
http://www.ibm.com/support/docview.wss?uid=swg21971298
---------------------------------------------
*** Multiple vulnerabilities in current releases of IBM SDK for Node.js in IBM Bluemix ***
http://www.ibm.com/support/docview.wss?uid=swg21973447
---------------------------------------------
*** Multiple Security Vulnerabilities affect IBM Security Privileged Identity Manager Virtual Appliance ***
http://www.ibm.com/support/docview.wss?uid=swg21972496
---------------------------------------------
*** Multiple vulnerabilities in IBM Java SDK affect Rational Functional Tester (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006) ***
http://www.ibm.com/support/docview.wss?uid=swg21972844
---------------------------------------------
*** A vulnerability in lighttpd affects IBM Security Virtual Server Protection for VMware (CVE-2015-3200) ***
http://www.ibm.com/support/docview.wss?uid=swg21973291
---------------------------------------------
*** IBM Multiple vulnerabilities in IBM Java SDK affect IBM API Management ***
http://www.ibm.com/support/docview.wss?uid=swg21972828
---------------------------------------------


*** Citrix XenServer Multiple Security Updates ***
---------------------------------------------
A number of security vulnerabilities have been identified in Citrix XenServer that could, in certain configurations, allow a malicious administrator of a guest VM to compromise the host or obtain potentially sensitive information from other guest VMs. In addition, a vulnerability has been identified that would allow certain applications running on a guest to cause that guest to crash.
---------------------------------------------
https://support.citrix.com/article/CTX203879


*** Vuln: Microsoft Windows Environment Variable Expansion in PATH Security Bypass Weakness ***
---------------------------------------------
http://www.securityfocus.com/bid/44484


*** Cisco IOS and IOS XE Software IKEv1 State Machine Denial of Service Vulnerability ***
---------------------------------------------
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151218-ios


*** SSA-472334 (Last Update 2015-12-18): NTP Vulnerabilities in RUGGEDCOM ROX-based Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-472334.pdf


*** SSA-396873 (Last Update 2015-12-18): TLS Vulnerability in Ruggedcom ROS- and ROX-based Devices ***
---------------------------------------------
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-396873.pdf


*** iOS banking apps security still not good enough, says researcher ***
---------------------------------------------
Repeat test throws up improved results from 2013 but problems remain The security of mobile banking apps has improved over the ..
---------------------------------------------
www.theregister.co.uk/2015/12/18/ios_banking_app_audit/